We in the cybersecurity and HIPAA compliance communities talk a lot about breaches and fines and total costs of breach remediation – yadda, yadda, yadda. All non-trivial realities to be sure, but when the WannaCry ransomware attack paralyzed hospitals and physician practices and pharmacies and surgery centers around the globe, I was thinking about the members of the care team. Elective surgeries can be postponed and lots of routine wellness services, such as eye exams and hearing tests and school physicals, can be completed safely without access to the EHR. But what about babies in NICU where medicines are administered in micrograms and tenths of milliliters? Cardiac cath labs where patients in the middle of a heart attack are receiving lifesaving care? Surgeries that were already in progress when the system froze?
As a former ICU, ER, and cardiac nurse, I put myself in the shoes of the care team members and wonder what I would have done in the face of an information blackout. Would my memory have been up to the task? Would the wrinkled cheat sheet in my pocket have gotten me through? Would management have kept a stash of old paper forms handy for just such an event? When backups were restored, would I have been able to trust them, to put my license on the line by administering cardiac meds to a fragile patient according to the information in a system that had failed me hours or days before? Hats off to every member of the care team for carrying on, for having the courage to do what you do.
The WannaCry attack – and many other less publicized attacks before it – caused millions, or even billions of dollars of damage. The full toll is still being tallied. But in all the calculations of lost business, IT staff overtime, OCR fines, lawyer fees, and years of credit monitoring, let’s not forget the real cost of risk to human lives and the real price paid by both patients and care staff who carried on.
If you aren’t sure whether your organization is doing everything it can to protect itself from a cyber breach, ransomware attack, or other PHI loss that could disrupt care delivery, please contact us for a Security Risk Analysis to identify the gaps in your current practice and receive a prioritized list of fixes.
info@thirdrock.com | 512.310.0020