As practicing emergency physicians, we plan for the worst, knowing that modern health care, even with all of its fancy technology, is fragile. Our specialty prides itself on being the master of disaster medicine and can, with very few resources, provide world-class care during hurricanes, tornadoes, infectious disease outbreaks, and multiple casualty tragedies. With recent global cyber attacks, namely WannaCry and Petya, spreading to infect hospitals across the globe and rendering them paralyzed, it is clear emergency medicine is facing a powerful new threat.1,2 This article is a firsthand account of such a cyber attack and offers some guidance on developing your own low-tech cyber-disaster plan so you can be prepared when hackers come for your hospital.
On April 9, 2017, Erie County Medical Center (ECMC), the only regional Level 1 trauma hospital in western New York, was attacked by hackers.3 The hackers didn’t gain access to the system through malicious emails or a compromised flash drive. Instead, they used an automatic program known as SamSam to try millions of password combinations for the hospital’s web server. Once they had the administrator password, they encrypted vast amounts of hospital data, rendering it unreadable.
The overnight information technology staff quickly recognized the attack and made the decision to shut down the entire computer network to stem the spread of infection. By 5:30 a.m., all computer screens went dark in the emergency department and the entire hospital. It was quickly clear that this unscheduled complete system downtime could have disastrous effects on patient care.
More than 6,000 computers were affected by this devastating ransomware.4 Cybersecurity experts from a multitude of companies including Microsoft, Cisco, Symantec, and Meditech worked around-the-clock to mitigate the impact of this sophisticated attack. It was difficult to understand the magnitude of the attack and the length of time it would take for our entire electronic medical record (EMR) system to be operational again.
Our hospital and department had a plan in place for internal disasters and EMR downtime; we never went on diversion. Our “low-tech” procedures ensured continuity of operations while maintaining high patient care standards. Each emergency department must develop a downtime plan that works for them and requires no computer access.
1. Communication: Keep Your Staff Informed
Hospital internet and email systems were shut down after the attack. We used alternate forms of communication, such as personal emails, that were available prior to the attack. Daily emails were sent to providers during the early stages of the prolonged downtime to inform them of changes in operations. We sought feedback to continuously improve our processes. The hospital also used a HIPAA secure messaging platform that enabled communication between administration and providers. Communication with hospital leadership was key to our success throughout this event. Our CEO and CMOs made rounds through the emergency department several times a day to ensure we were being provided with all the resources we needed.
2. Patient Records: Participate in Health Information Exchanges
ECMC providers lost access to all patient records when the system was shut down. We are fortunate, however, to have an electronic clinical information exchange in western New York, called HEALTHeLINk, to access our patients’ historical data. All ECMC records, including charts, ECGs, laboratory studies, and radiology studies prior to April 9, had been uploaded into this database. We borrowed laptops and wireless cards to access this site during the first few hours of the attack, which made a challenging circumstance more manageable.
3. Provider Order Entry: Focus on Tasks to Increase Provider Productivity
We brought out binders full of paper copies of our order sets and made these available to providers. We also made specific order packets for our traumas that included lab, blood blank, X-ray, and CT requisition forms. All consent and other forms are also maintained in a paper format and were readily available once the system was shut down.
4. Imaging: Save Your Old Light Boxes
During traditional EMR downtime, we are still able to access our imaging picture archiving and communication system on the computer workstations. Since we did not have access to computers, we initially viewed all X-ray films directly on the machines. After several days, we realized that we would run out of storage space to archive the images. We had to start printing our X-rays so the radiology department could later retrieve the films. Both ED providers and radiologists could provide preliminary interpretations on paper. At least one radiologist was present 24 hours a day by the CT scanner to provide reads directly from the imaging equipment.
5. Schedule: Increase Your Staffing Levels During Peak Volumes
A significant IT disruption can have negative effects on provider efficiency. As a large academic group, we had the capability of increasing our staffing at ECMC during peak hours with the assistance of our colleagues at other hospitals. The hospital provided additional nursing staff, techs, and clerical staff. Administrative staff from other departments with computer-dependent jobs were deployed by the hospital to help run lab results. Patient advocates helped keep patients informed of delays.
6. Electronic Prescribing: Stockpile Your Old Prescription Pads and Stampers
Since March 2016, practitioners in New York state (NYS) have been mandated to prescribe both controlled and noncontrolled substances electronically. With a lack of computers and internet, we were no longer able to send prescriptions electronically during the attack. Senior providers brought in their unused paper prescription pads from home, but many others no longer had prescription pads or name stampers. The hospital only had a limited supply of official NYS prescriptions. The NYS Department of Health sent a courier with prescription pads on the second day of our downtime. Our ED pharmacists proved invaluable by contacting pharmacies and notifying them of the issues in the emergency department.
7. Resident Education: Use Downtime as an Educational Experience
Our residents did an excellent job during this stressful time and quickly adapted to the downtime procedures. Many of our residents had never used paper order forms or written on paper charts. Our attendings spent additional time teaching our residents the importance of appropriate documentation, without prompts and macros, and writing paper orders and prescriptions.
8. Morale: Keep Your Staff Engaged
This was a challenging time for all staff involved. We ensured that our staff was supported in their jobs during our six-week digital downtime.
Dr. Pugh is clinical assistant professor of emergency medicine at the Jacobs School of Medicine and associate chief of service in the department of emergency medicine at Erie County Medical Center, both in Buffalo, New York.
Dr. Dameff is a clinical informatics fellow at the The University of California, San Diego.
- Brandom R. UK hospitals hit with massive ransomware attack. The Verge website. Accessed Sept. 22, 2017.
- Perlroth N, Scott M, Frenkel S. Cyberattack hits Ukraine then spreads internationally. The New York Times website. Accessed Sept. 22, 2017.
- Sweeney E. 6 weeks after going back to pen and paper, Buffalo hospital CEO sees ransomware attack as a call to arms. FierceHealthcare website. Accessed Sept. 22, 2017.
- Davis HL. How ECMC got hacked by cyber extortionists—and how it’s recovering. The Buffalo News website. Accessed Sept. 22, 2017.