Lessons from the MedStar Health ransomware attack


The ransomware attack that paralyzed MedStar Health computer systems in March taught some painful lessons, according to Craig DeAtley, the organization's director of emergency management.

In a recent interview, DeAtley explains to The Exchange--the newsletter from the Assistant Secretary for Preparedness and Response (ASPR) and the Healthcare Emergency Preparedness Information Gateway (TRACIE)--that the Columbia, Maryland-based health system was caught off guard by the speed in which most of its systems were compromised and locked down.

“We were practiced at individual workarounds, but we had never really rehearsed losing everything, much less all at once,” he says.


9 Tips for Implementing the Best Mobile App Strategy

The member mobile app is a powerful tool for payers and members. It can help improve health outcomes, reduce operational costs, and drive self-service — anytime, anywhere. In this new eBook, learn tips and tricks to implementing the best mobile app strategy now.

MedStar, which includes 10 hospitals and more than 250 outpatient centers, had a corporate emergency plan, and one for each site that had recently been updated. This incident, however, demonstrated the need for a broader, more comprehensive cybersecurity plan, DeAtley says.

While IT/information systems personnel weren’t in charge, they certainly had to be at the table and to be able to communicate highly technical problems to people at all levels.

The health system lost access to more than 370 computer programs and had to prioritize the order in which to bring them back up. Now, MedStar better understands how all its programs are interconnected, DeAtley says.

Patience was a big requirement at all levels. However, he says, while most systems are back up, some files might never be retrieved.

Newer employees didn’t know how to operate without computer systems. Nurses, pharmacists and other staff members stepped up to help their co-workers. The organization, however, is re-evaluating training for this scenario.

The incident reiterates the need to plan for a total system outage, DeAtley says, as well as the need to fully rehearse it. It calls for disciplined and multi-level leadership, careful documentation and clear communication.

“You need to exceed your comfort level to prepare for a problem this vast,” he says.

To learn more:
- read the interview

Suggested Articles

Ambulatory EHR provider NextGen Healthcare saw its quarterly revenue grew 4% to $140 million and earnings topped Wall Street projections.

The American Medical Group Association wants HHS to walk back a new requirement they say could lead to providers not getting COVID-19 relief funds.

Millennials and Generation Zers are particularly feeling the impacts of COVID-19 on their health coverage, according to a new survey.