Use & Optimization News

Virus-related EHR Outage Forces NY Hospital Back to Paper

A New York hospital battling a computer virus must temporarily use paper records as a result of an EHR outage.

EHR System Failure

Source: Thinkstock

By Kate Monica

- Erie County Medical Center (ECMC) and its long-term care facility at Terrace View have been battling a virus responsible for EHR outage since Sunday afternoon.

UPDATE: Some computers have been restored and ECMC is working to bring the entire network back online. 

"ECMC's computer system today went down,” the hospital wrote in a public statement, “The hospital's IT team immediately commenced a thorough assessment and analysis of the situation. Our priority is maintaining patient safety and quality services. All hospital operations are continuing as normal and have not been interrupted.”

The hospital has enlisted the help of FBI personnel and the state police cybersecurity team to investigate the incident. In addition, in-house ECMC IT staff has teamed up with GreyCastle Security, a third-party consultant, to combat the virus and resolve all technical issues as quickly as possible.

According to ECMC, the hospital has secure back-up storage in place for all patient records, financial information, and human resource records to ensure no data will be permanently lost.

However, while computer systems are down, all patient admissions, prescription writing, and similar day-to-day tasks must be completed by hand.

"The hospital has a well-planned and prescribed back-up process in the event of a situation like this," ECMC spokesman Peter Cutler said in a public statement. "What it has done is — everything's more labor-intensive because everything has to be done manually."

Cutler added that since ECMC has only recently completed its EHR implementation and begun clinical EHR use, many staff members are comfortable with the temporary switch back to paper patient medical records.

To mitigate hassles while IT personnel remedy the problem, ECMC has issued laptops to allow staff members to communicate and complete specific daily tasks electronically.

However, providers and staff members are presently unable to access the hospital’s database and EHR system as only desktop computers are linked to the network.

"The assessment and investigation is ongoing," Cutler said. "We are hopeful it will be just a matter of days before restoration. It's a complicated process."

Dan Meyer, spokesman for Erie County Executive Mark C. Poloncarz, stated the virus only affects hospital operations and no other county computer systems were impacted by the incident.

As of Tuesday, April 11, ECMC officials stated care delivery to patients and nursing home residents was not impacted despite the entire computer system being shut down. Additionally, no appointments have been postponed as a result of the attack.

Hospital officials have not clarified whether the incident is a ransomware attack.

This attack falls in line with an increasingly apparent trend of cyberattacks in the healthcare industry.

WEDI, a nonprofit organization devoted to using health IT for data exchange alongside HHS, issued recommendations last month regarding ways the healthcare community can avoid health data security issues and cyberattacks such as these.

“The healthcare industry at large must coalesce as a united front to more collectively address how to implement a universal culture of cyberdefense and train a more resilient workforce to mitigate threats,” WEDI authors wrote in a white paper.

Preventative measures against cybersecurity attacks are needed now more than ever, as 87 percent surveyed of healthcare organizations reported suffering an attack in 2016 according to a Bitglass report. Incidents of health data security breaches have only increased over the past few years with opportunistic hackers taking advantage of the increasingly digitized healthcare industry.

While the conversion to an entirely electronic health record system is beneficial in many ways to patient care delivery, it will also leave patient data vulnerable to more attacks unless organizations significantly improve safeguards against system hackers.

 “As the use of health IT becomes more widespread, cybersecurity must be more directly integrated into the fabric of healthcare and ultimately become an organizational asset that is perceived as commonplace and mission-critical as hygiene and patient safety procedures have become to quality care,” authors wrote.