Ransomware and EHR Systems: A Dangerous MixAttack on Greater Baltimore Medical Center Spotlights the Fallout
A Baltimore medical center that suffered a ransomware attack a month ago and pulled its electronic health records system offline as a precaution during the recovery is finally beginning to restore access to the system, the organization's CEO says.
The situation in Baltimore is the latest example of how a ransomware incident can cripple a healthcare organization's ability to access and use EHR systems following an attack, regardless of whether those systems were actually infected by the malware.
In a video posted on Wednesday, John Chessare, M.D., president and CEO of GBMC Healthcare, updated patients about the organization's COVID-19 activities as well as the status of recovery from a cyberattack detected on Dec. 6.
The ransomware incident at GBMC, which operates the 342-bed Greater Baltimore Medical Center and several other facilities, caused the organization's "tightly connected systems," including phone systems and a patient portal, to go down, preventing patients from calling to make appointments and accessing their MyChart records, Chessare said.
"We have now brought those systems up and you can now look at your own records via the patient portal ... or call us on the phone," he said in the video.
"We are working as hard as we can to answer the phone as fast as possible, but I ask you to be patient with us and give us a couple weeks to get back to our normal steady state."
In a statement posted on its website, GBMC noted that it "has begun restoring its electronic medical record system after being taken offline as a precaution," adding that its telephone and email systems are again functional.
"While GBMC regrets the incident caused some procedures to be rescheduled, this step was the prudent thing to do," the statement says. "We are confident we are on the right path and our work to provide the COVID-19 vaccine is on course."
The GBMC statement says there's no evidence that any patient information has been misused. "We are working with outside experts and law enforcement. Our investigation is in its early stages."
A GBMC spokesman tells Information Security Media Group that the organization's IT team is continuing to collaborate with outside experts to restore systems.
"We cannot provide an exact timetable for when our systems will be restored, but it will not be in a day or two," the spokesman says. "We have successfully restored our main phone number. We are addressing the most critical systems for patient care first."
GBMC is one of several healthcare organizations to suffer a ransomware incident that affected use of its electronic health record systems.
For example, University of Vermont Health Network revealed this week that it was delaying phases of a new enterprisewide EHR rollout by several months as it continues to deal with the aftermath of an October ransomware attack.
"Trying to figure out your next steps in the middle of an attack when the organization is already locked is not just a worst-case scenario - it is your worst nightmare."
—David Finn, CynergisTek
Ransomware attacks on cloud-based EHR vendors have resulted in users being temporarily unable to access their patients' records (see: Doctors Regain EHR Access After Ransomware Targets Vendor).
"EHRs are one of the most important crown jewels of any provider," says former healthcare CISO Mark Johnson, who leads the healthcare practice of security consulting firm LBMC Information Security. "The medical information is stored there and clinicians need that information to properly treat the patients. Any step to preserve and protect them should be considered in an emergency like a ransomware attack."
Jon Moore, chief risk officer at privacy and security consulting firm Clearwater, offers a similar assessment.
"The EHR is the information system equivalent of the heart of a healthcare provider," he says. "All-important patient information flows through these key information systems. A breach here can not only expose the most confidential of patient health information but also potentially shut down an organization for good."
Swift Action Needed
Healthcare entities detecting a ransomware attack or other cyber incident must take swift action - such as immediately isolating the affected system and removing it from the network - to ensure that the malware does not also cripple the organization's EHR.
"Early detection is critical, and once you have found it, the next critical step is to quarantine the infected device or network segment," says former healthcare CIO David Finn, executive vice president of security consultancy CynergisTek. "You must literally isolate it on your network so it cannot spread and it can be remediated in place."
When a ransomware attack affects an EHR system or other critical system, an organization needs to immediately execute its business continuity plan to maintain operations while the system is unavailable, Moore says.
"This typically means going to paper records and manual processes," he says. "While this is going on, the organization will need to be careful to identify and remove all infected systems from the network."
Finn notes that the impact of a ransomware incident on healthcare organizations can be long lasting.
For instance, operational recovery from a ransomware attack can take months, Finn says. That includes cleaning malware from EHR systems before they are brought back online, as well as updating patients' electronic records with information collected on paper during the EHR outage.
"From a financial perspective, we have seen cases where it takes years to get back to the starting point," he adds. "The reality is that when a hospital suffers a ransomware attack, the biggest impact is on patient care - which is the business of healthcare."
Hospital leaders outside of IT and security often wrongly think of cyberattacks as only an IT and security issue, he contends.
"Trying to figure out your next steps in the middle of an attack when the organization is already locked is not just a worst-case scenario - it is your worst nightmare," he says. "An organization should have those plans documented. They should have backup and recovery in place and incident response runbooks for the organization that cover security, IT and the entire enterprise - finance, clinical operations and patient care."