The medical center is recovering, but the effects represent an industrywide fear.
A ransomware attack walloped a Missouri hospital this week, forcing it to shut down its electronic health records (EHRs) system and divert certain patients elsewhere. The cyberattack against Cass Regional Medical Center highlighted one of the greatest fears of medical security experts: that digital assaults can affect physical care.
It’s unclear whether any patient data were exposed, according to the Harrisonville, Missouri-based healthcare organization.
Employees detected the intrusion around 11 a.m. Monday and launched the incident response plan within half an hour, corralling leadership, tech staff, and patient care managers, according to a statement. Stakeholders found that the attack hit internal communication systems and Cass Regional Medical Center’s EHR system.
The county-owned hospital’s EHR vendor, Meditech, decided to take the infrastructure offline. It remained down yesterday, and officials didn’t expect to revive it until later this week.
“Our primary focus continues to be on our patients and meeting our mission to provide healthcare services to our community,” CEO Chris Lang said in a statement. “We are deploying every resource available to us to resolve this situation quickly, so we can resume normal operations.”
On Monday afternoon, Cass Regional Medical Center began sending ambulances carrying patients with trauma and strokes elsewhere, “to ensure optimal care,” according to the statement. That measure remained in place yesterday. But the hospital continued to offer inpatient, outpatient, emergency, and primary care.
It’s unclear whether the ambulance diversion protocol is still in action. A message left for a media representative by Healthcare Analytics News™ wasn’t immediately returned, and we will update this story.
Cass Regional is making strides in its recovery. The organization brought on an “international cyber forensics firm,” whose staffers are decrypting systems and files locked by the ransomware attack. As of yesterday, they completed an estimated 50 percent of the job.
Cybersecurity experts are also investigating the scope of the attack and its effects—or lack thereof—on patients’ protected health information.
Cass Regional Medical Center’s public response to the attack was something of an outlier in the tight-lipped healthcare industry. Most often, victimized organizations release only those details required under reporting laws—and sometimes the incident only comes to light months later, when patients receive written notification of a data breach. But Cass Regional’s leadership opted to describe its planned response.
“I am extremely proud of our staff for the manner in which they have rallied to make sure we can still take the very best care of our patients,” Lang said yesterday. “It has not been easy, but their dedication and can-do attitude is inspiring.”
Still, the medical center faced two major problems at the hands of hackers: an EHR shutdown and an ambulance diversion. In a feature story detailing the threat of cyberwarfare, Healthcare Analytics News™ last month described how that sort of scenario is likely to affect patient care for the worse.
Locked EHR systems test providers—especially younger ones, many of whom were trained only on digital systems, not paper. And in a study of urban marathons, researchers found that mortality rates suffered from longer response times, a possible challenge of ransomware-caused ambulance diversions. But whether these issues had any effect at Cass Regional Medical Center is unknown.
In fact, virtually no study has examined how cyberattacks affect care delivery and patient outcomes, but various experts have said they hope to undertake such a project.
Get the best insights in healthcare analytics directly to your inbox.