A look inside a hospital hacking incident – from the patient and family member perspective

by Suzie Dodds, CIC

I wrote a previous piece on an episode of New Amsterdam where the fictitious hospital gets hit with a ransomware attack. Little did I know that I would experience such a hack first-hand!

The first time was at an urgent care while on vacation in May, where they could not collect co-pays.

Today in June, I am sitting in my mother’s hospital room for the fifth consecutive day. All hospital room laptops sit untouched. They are keeping three-ring binder bedside charts, and everything is handwritten. No bar codes to scan medications or patient wristbands. No pop-up system warnings about patient allergies, extremity restrictions, or fall risk. Vitals and glucose readings are all recorded manually. The patient room white board is important again.

Doctors are struggling to remember patient history details, medications, and care plans while standing in the patient’s room because they can’t have it at their fingertips on the room laptop. Doctors, nurses, patients, and family members all look up drug interactions and ingredients on their smart phones. Nurses have to call individual departments to see if patients are on today’s list for dialysis and other procedures. Hospitality is manually recording all meal orders and calculating special diet points for every item ordered. The only functioning electronic equipment in the room is the patient monitor for heart rate, blood oxygen level, pulse rate, and temperature, which the nurses can still monitor remotely.

The Starbucks in the lobby is a stark image of streamlined electronic efficiency. Everything else is painfully slow. My mother’s care is still very good, thankfully, but that is due to the commitment of the staff to provide good care regardless of the situation.

At New Amsterdam, the hospital ultimately pays the ransom and successfully restores their systems after much chaos and drama. No such luck here. While the ransom demand amount has not been publicly disclosed, rumors abound that it was $2bn. This hospital elected not to pay it, so they are waiting as cyber experts work to decrypt their data and restore their systems – the estimated time is 4-6 weeks. Staff have been instructed not to discuss it with patients, but the hack has been all over the news. I have no information about whether this hospital has cyber liability insurance in place or not, to help them with investigation and restoration, or whether they are self-funding the expertise needed to get them back online and prevent future attacks.

So for the time being, we will be here, waiting…and looking up drug interactions on our smartphones.