Lessons from the MedStar Health ransomware attack

cybersecurity

The ransomware attack that paralyzed MedStar Health computer systems in March taught some painful lessons, according to Craig DeAtley, the organization's director of emergency management.

In a recent interview, DeAtley explains to The Exchange--the newsletter from the Assistant Secretary for Preparedness and Response (ASPR) and the Healthcare Emergency Preparedness Information Gateway (TRACIE)--that the Columbia, Maryland-based health system was caught off guard by the speed in which most of its systems were compromised and locked down.

“We were practiced at individual workarounds, but we had never really rehearsed losing everything, much less all at once,” he says.

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

MedStar, which includes 10 hospitals and more than 250 outpatient centers, had a corporate emergency plan, and one for each site that had recently been updated. This incident, however, demonstrated the need for a broader, more comprehensive cybersecurity plan, DeAtley says.

While IT/information systems personnel weren’t in charge, they certainly had to be at the table and to be able to communicate highly technical problems to people at all levels.

The health system lost access to more than 370 computer programs and had to prioritize the order in which to bring them back up. Now, MedStar better understands how all its programs are interconnected, DeAtley says.

Patience was a big requirement at all levels. However, he says, while most systems are back up, some files might never be retrieved.

Newer employees didn’t know how to operate without computer systems. Nurses, pharmacists and other staff members stepped up to help their co-workers. The organization, however, is re-evaluating training for this scenario.

The incident reiterates the need to plan for a total system outage, DeAtley says, as well as the need to fully rehearse it. It calls for disciplined and multi-level leadership, careful documentation and clear communication.

“You need to exceed your comfort level to prepare for a problem this vast,” he says.

To learn more:
- read the interview

Suggested Articles

Centene announced another five states have approved its pending $17B merger with WellCare, bringing total number of approvals to 24.

Tech giant Google has tapped former Obama administration healthcare official Karen DeSalvo as its first chief health officer.

Group Health Cooperative in Seattle is accused of bilking Medicare out of millions of dollars in a federal whistleblower case.