Lessons from the MedStar Health ransomware attack


The ransomware attack that paralyzed MedStar Health computer systems in March taught some painful lessons, according to Craig DeAtley, the organization's director of emergency management.

In a recent interview, DeAtley explains to The Exchange--the newsletter from the Assistant Secretary for Preparedness and Response (ASPR) and the Healthcare Emergency Preparedness Information Gateway (TRACIE)--that the Columbia, Maryland-based health system was caught off guard by the speed in which most of its systems were compromised and locked down.

“We were practiced at individual workarounds, but we had never really rehearsed losing everything, much less all at once,” he says.


13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

MedStar, which includes 10 hospitals and more than 250 outpatient centers, had a corporate emergency plan, and one for each site that had recently been updated. This incident, however, demonstrated the need for a broader, more comprehensive cybersecurity plan, DeAtley says.

While IT/information systems personnel weren’t in charge, they certainly had to be at the table and to be able to communicate highly technical problems to people at all levels.

The health system lost access to more than 370 computer programs and had to prioritize the order in which to bring them back up. Now, MedStar better understands how all its programs are interconnected, DeAtley says.

Patience was a big requirement at all levels. However, he says, while most systems are back up, some files might never be retrieved.

Newer employees didn’t know how to operate without computer systems. Nurses, pharmacists and other staff members stepped up to help their co-workers. The organization, however, is re-evaluating training for this scenario.

The incident reiterates the need to plan for a total system outage, DeAtley says, as well as the need to fully rehearse it. It calls for disciplined and multi-level leadership, careful documentation and clear communication.

“You need to exceed your comfort level to prepare for a problem this vast,” he says.

To learn more:
- read the interview

Suggested Articles

The FTC is suing health IT company Surescripts, accusing the company of employing illegal vertical and horizontal restraints in order to maintain its…

Boston-based Athenahealth is laying off a portion of its workforce to “decrease bureaucracy and consolidate capabilities" as part of a reorganization.

The Trump administration wants to allow state Medicaid programs test new models of integrated care to treat dual eligible beneficiaries.