Tuesday, March 29, 2016

Bad health IT at Medstar Health: FBI probing virus behind outage (And: ka-ching! ka-ching! EHR costs continue their upward spiral)

Once again, a definition of bad health IT:

Bad Health IT ("BHIT") is defined as IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, is difficult and/or prohibitively expensive to customize to the needs of different medical specialists and subspecialists, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy or evidentiary fitness, or otherwise demonstrates suboptimal design and/or implementation. (http://cci.drexel.edu/faculty/ssilverstein/cases/)

I observed bad health IT leading to HIT compromise, hospital chaos and paying of a ransom demand at my Feb. 18, 2016 post "Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised" at http://hcrenewal.blogspot.com/2016/02/hollywood-presbyterian-medical-center.html.

It's happened again, at least with regard to publicly-disclosed stories (there is no requirement for hospital disclosure, more on that below).

FBI probing virus behind outage at MedStar Health facilities - AP

WASHINGTON (AP) — Hackers crippled computer systems Monday at a major hospital chain, MedStar Health Inc., forcing records systems offline for thousands of patients and doctors. The FBI said it was investigating whether the unknown hackers demanded a ransom to restore systems.

A computer virus paralyzed some operations at Washington-area hospitals and doctors’ offices, leaving patients unable to book appointments and staff locked out of their email accounts. Some employees were required to turn off all computers since Monday morning.

A law enforcement official said the FBI was assessing whether the virus was so-called ransomware, in which hackers extort money in exchange for returning a victim’s systems to normal. The official spoke on condition of anonymity because the person was not authorized to discuss publicly details about the ongoing criminal investigation.

Not discussed is corporate accountability for deficient IT security.

“We can’t do anything at all. There’s only one system we use, and now it’s just paper,” said one MedStar employee who, like others, spoke on condition of anonymity because this person was not authorized to speak to reporters.

I note that if the cybernetic pundits were listened to, patients would now be considered at deadly risk due to paper records being used - not due to critical IT infrastructure being hacked and disabled.  Yet it's impossible to disable paper charts en masse.

MedStar said in a statement that the virus prevented some employees from logging into systems. It said all of its clinics remain open and functioning and there was no immediate evidence that patient information had been stolen.

These must be honest thieves.

Of course, we hear the "patient care has not been compromised" line once more (http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised).

Company spokeswoman Ann Nickels said she couldn’t say whether it was a ransomware attack. She said patient care was not affected and the hospitals were using a paper backup system.

The absurdity of this claim is that if patient care is not affected by returning to paper, then why did the hospital invest hundreds of millions on EHRs?

(Considering a increasing evidence base of clinician distraction and disaffection e.g., the Jan. 2015 Medical Societies letter to ONC as at http://hcrenewal.blogspot.com/2015/01/meaningful-use-not-so-meaningul.html, EHR-related errors, many of which would likely not occur under a well-staffed paper system e.g., as at http://hcrenewal.blogspot.com/2014/04/fda-on-health-it-risk-reckless-or.html, and plentiful security breaches e.g., the many posts at http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy, I would also ask if patient care is in fact improved by the return to paper [1].)

When asked whether hackers demanded payment, Nickels said: “I don’t have an answer to that,” and referred to the company’s statement.

Dr. Richard Alcorta, medical director for Maryland’s emergency medical services network, said he suspects it was a ransomware attack. He said his suspicion was based on multiple earlier ransomware attempts on individual hospitals in the state. Alcorta said he was unaware of any ransoms paid by Maryland hospitals or health care systems.

The rather calmly-stated "multiple earlier ransomware attempts on individual hospitals in the state" suggests that

  • Hospitals are being targeted in an organized fashion, and
  • Costs to implement proper security will draw even more capital and resources from direct patient care and from real brick and mortar facilities, such as entire new hospital wings that would cost less than an EHR, to cybernetics of increasingly dubious value.  (Past projected cost benefits are certainly being proven even more naive.)

Terrorism or just plain old crime, the medical driector asks...

“People view this, I think, as a form of terrorism and are attempting to extort money by attempting to infect them with this type of virus,” he said.

God help us if true terrorists get in the act of cybernetically paralyzing hospitals.

Alcorta said his agency first learned of MedStar’s problems about 10:30 a.m., when the company’s Good Samaritan Hospital in Baltimore called in a request to divert emergency medical services traffic from that facility. He said that was followed by a similar request from Union Memorial, another MedStar hospital in Baltimore. The diversions were lifted as the hospitals’ backup systems started operating, he said.

It used to be that patient diversions were due to doctors and nurses having too many sick patients they are caring for.  Here it seems due to doctors having to many sick computers to deliver proper patient care.

MedStar operates 10 hospitals in Maryland and Washington, including the MedStar Georgetown University Hospital, along with other facilities. It employs 30,000 staff and has 6,000 affiliated physicians.

That's a lot of paralysis.

Monday’s hacking at MedStar came one month after a Los Angeles hospital paid hackers $17,000 to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hollywood Presbyterian Medical Center, which is owned by CHA Medical Center of South Korea, paid 40 bitcoins — or about $420 per coin of the digital currency — to restore normal operations and disclosed the attack publicly. That hack was first noticed Feb. 5 and operations didn’t fully recover until 10 days later.

Hospitals are considered critical infrastructure, but unless patient data is impacted there is no requirement to disclose such hackings even if operations are disrupted.

I won't even comment on why a US hospital is owned by a Korean medical center.  The statement "unless patient data is impacted there is no requirement to disclose such hackings even if operations are disrupted" implies yet another blind spot in the unregulated health IT industry.  Add that to the blindness towards close-calls and actual harms, and you have a field being pushed on the population under penalty by those somewhat deaf, dumb and blind to the downsides.

Computer security of the hospital industry is generally regarded as poor, and the federal Health and Human Services Department regularly publishes a list of health care providers that have been hacked with patient information stolen. The agency said Monday it was aware of the MedStar incident.

All I can hear is "ka-ching! ka-ching!" as the costs to fix the poor computer security in the hospital industry accrues. 

How much will patient care suffer as a result of the diversion of yet more resources to cybernetics?

As I've written before, stories like this support a serious rethinking of the entire healthcare IT hyper-enthusiast movement to whom the considerable downsides (even patient death) are just an unfortunate "bump in the road" (http://hcrenewal.blogspot.com/2012/03/doctors-and-ehrs-reframing-modernists-v.html), or perhaps more accurately, the healthcare IT hyper-enthusiast religion.

-- SS

[1] I've written that paper for many clinical settings, including highly specialized forms as I implemented highly successfully in invasive cardiology (http://cci.drexel.edu/faculty/ssilverstein/cases/?loc=cases&sloc=Cardiology%20story), needs reconsideration, relieving clinicians of clerical work and employing data entry clerks to enter the data.  This would be supplemented by far less expensive document imaging systems for 24/7 availability, and computerized lab results retrieval - the latter with appropriate humans on the receiving end to prevent the "silent silo" syndrome of lab results returned to a computer silo but missed by clinicians due to being very busy and due to unreliable/fatiguing cybernetic alerting.  A lot of workers can be paid for by saving $50 or $100 million on software.

3/30/2016 Addendum:

This is not the first time for EHR outages at MedStar.

As in my May 16, 2015 post "Another day, another EHR outage: MEDSTAR EHR goes dark for days" at http://hcrenewal.blogspot.com/2015/05/another-day-another-ehr-outage-medstar.html, I cited Politico. 

The doctor's observation I highlighted below is of interest.


MEDSTAR EHR GOES DARK FOR DAYS: MedStar’s outpatient clinics in the D.C. and Baltimore area lost access to their EHRs Monday and Tuesday when the GE Centricity EHR system crashed. The system went offline for scheduled maintenance on Friday and had come back on Monday when it suffered a “severe” malfunction, according to an email from Medstar management that was shared with Morning eHealth.

“All of a sudden the screens lit up with a giant text warning telling us to log off immediately,” a doctor said. “They kept saying it would be back up in an hour, but when I left work Tuesday night it was still down.”

This doctor told us that the outage was “disruptive and liberating at the same time. I wrote prescriptions on a pad for two days instead of clicking 13 times to send an e-script. And I got to talk to my patients much more than I usually do.

But of course we didn’t have access to any notes or medication history, and that was problematic.” MedStar notified clinicians in the email that any information entered in the EHR after Friday was lost.

-- SS

No comments: