After a cyberattack earlier this year largely locked out electronically-stored patient health records, nurses in the neonatal intensive care unit at Baltimore’s Ascension Saint Agnes hospital quickly created a shared spreadsheet to track medications for their fragile infants.
During each shift for the next four weeks, the nurses would confirm the list, print it and fax it to the pharmacy. The paper and fax confirmation would then go in a binder.
“Never in my life have I used a fax machine,” said Nichol Horvat, one of the NICU nurses.
Horvat said they’d been trained for hourslong system outages, not weeks. And now she and others — part of a newly formed union that was already engaged in contract negotiations — say the rising threat of cyberattacks in health care illustrates how the focus has been on protecting overarching electronic systems and not on the ground-level workers and patients.
The May attack on Ascension, a nonprofit Catholic system operating 140 hospitals including Saint Agnes, put into stark focus the need for training and sufficient staffing to handle any circumstance, she said.
“We were working 12 or 13 hours at a time on high alert,” Horvat said. “It was exhausting and scary.”
Ascension and Saint Agnes say they have made significant progress restoring electronic systems, and patient safety is their priority. Officials declined to comment further about the nurses’ experiences. Horvat said there were some especially tense moments.
One night they needed a blood culture, used to check for bacteria or other microorganisms in the a baby’s body. She said it was lost in the lab for almost four hours.
A doctor and nurse went to the lab to investigate and found the culture had been set aside and nearly discarded because a paperwork snafu under the evolving attack protocols. A baby had already been given antibiotics, so Horvat said another blood sample wouldn’t have reliably shown anything amiss.
Many units diverted nurses to handle extra paperwork, smoothing operations but adding to the burden of bedside nurses. And Horvat said disrupted orientations meant many new nurses who were often unfamiliar with usual routines and protocols.
This isn’t unique to Saint. Agnes. There hasn’t been a cohesive federal response to prevent or mitigate the effects of attacks in health systems, which cybercriminals target for their patient financial and health information, said Michael Greenberger, director of the University of Maryland Francis King Carey School of Law’s Center for Health and Homeland Security.
The financial industry has a very big cyberattack problem also, but they have more resources to respond, Greenberger said.
“When their data is stolen you don’t have the same consequences as when you’re losing health data or when systems are so disabled they can’t provide health care,” he said. “It’s tricky because people’s lives are at stake.”
But unless people were in the hospital during an attack or have a family member affected, most people don’t realize the scope of the problem, Greenberger said. Federal officials haven’t done much beyond hold hearings.
But, as the attacks accelerate, he said, “I predict that will change in the next six months to a year or two years.”
The latest FBI Internet Crime Report shows there were 249 ransomware attacks on health care and public health systems in 2023, the most out of 16 sectors considered critical infrastructure. The U.S. Department of Health and Human Services reported in March that ransomware attacks, when sensitive data is held hostage until the attacker is paid, have increased 264% in the past five years.
The Greater Baltimore Medical Center and Johns Hopkins Health System are among others attacked in Maryland in recent years. The Maryland Department of Health faced an attack in late 2021, affecting everything from COVID data tracking to Medicaid provider funding.
Chase Cook, an agency spokesman, said the department has since bolstered its defenses and is coordinating with state technology and emergency management agencies to address the cyberattacks more broadly. There also are federal and state requirements for health systems to protect patient data.
Some attacks are aimed at nationwide technology firms used broadly by health systems to track patient data or submit patient claims and fill prescriptions. The February attack on Change Healthcare, owned by the insurance giant UnitedHealth Group, caused widespread disruptions.
After that attack, John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, testified before the U.S. House Energy and Commerce Subcommittee on Health that federal officials should focus on the whole health care sector and not just hospitals.
“Any cyberattack on the health care sector that disrupts or delays patient care creates a risk to patient safety and crosses the line from an economic crime to a threat-to-life crime,” he said.
Kim Yamas, a psychotherapist who owns Stone Soup Counseling in Baltimore, said the Change Healthcare attack affected her 15-employee firm’s claims processing for weeks, which she called “incredibly stressful.”
Yamas said a staffer was dedicated to billing individual insurers directly, and no one was paid for two weeks and only partially paid for weeks more. She and a co-owner took pay cuts and lined up credit.
She likened it to a grocery store suddenly closing and forcing everyone to individual markets that weren’t prepared for the business.
“Our patients had no idea because we kept seeing them even though we weren’t being paid,” Yamas said. “But small and solo practices were really helpless and probably didn’t know how to proceed. We were all trying to help each other, and tell people to have a Plan B for next time.”
Yamas never lost access to her patients’ electronic medical records, which were stored outside the office. That wasn’t the case at Ascension.
The primary technology used for electronic patient information has since been restored, and the hospital and all doctors’ offices are open, said Justin Blome, a St. Agnes spokesman.
“This will allow most hospital departments, physician offices and clinics to use electronic documentation, charting and ordering systems,” he said in an emailed statement. “Our team continues to work tirelessly to restore other ancillary technology systems.”
When the attack was discovered, officials moved swiftly. The state’s emergency management agency put the emergency room on “mini disaster” status and diverted ambulances elsewhere.
But other patients had been admitted, and nurses had already been spread thinner than in past years. One in four nurse positions in Maryland hospitals is currently vacant.
That’s not due to a nurse shortage, said Robin Bucker, a nurse on the vascular access team that helps insert and maintain catheters for medicine and fluids. It’s because fewer nurses are willing to work in hospitals, a trend accelerated by the coronavirus pandemic.
That makes them less prepared during an emergency.
“Paperwork can end up in the wrong chart, patients could get wrong medications. All the paper has to get to the right department many, many times a day for this to work,” she said.
“We just want to do the thing we got into nursing to do, care for patients.”
This story may be updated.
