What you need to know about the forces reshaping our industry.


May 25, 2017

At 2 a.m. on a Sunday, a hospital was hacked. Here's how it kept key departments operating.

Daily Briefing

    After ransomware struck Erie County Medical Center (ECMC) last month, the system had to go low-tech for weeks—but thanks to a well-practiced response plan, ECMC ensured patient data were not compromised, managed to keep key departments in operation, and avoided paying the hackers' ransom demands, Henry Davis reports for the Buffalo News.

    Learn what's happening in the world of health IT

    The cyberattack was not related to the ransomware attacks that infected computers in more than 100 countries last week, including certain health care companies and medical device makers in the United States. According to the FBI, on average, there have been more than 4,000 ransomware attacks around the world daily since Jan. 1, 2016—a 300 percent increase over 2015.

    What happened to ECMC—and how it could happen to you

    At 2 a.m. on April 9, computer screens at ECMC flashed with a message that read: "What happened to your files?" The hackers then demanded a ransom in bitcoins—equivalent to $44,000—to unlock them, Davis reports.

    Usually, ransomware spreads by tricking a person into clicking a link in a message disguised as being from a known source, but officials believe the ECMC incident had a different origin.

    Hospital officials believe the hackers used an automatic program that was unrecognizable to antivirus software to exploit a remotely accessible hospital web server. After breaching the system, the hackers encrypted the hospital's files in a way that made it harder to recover data. The hackers likely issued the official ransom notice about a week after they initially accessed the hospital system, officials said.

    Reg Harnish—CEO of GreyCastle Security, a cybersecurity consulting firm that helped ECMC respond to the attack—described the attack as "in our top 10 percent in terms of sophistication."

    Officials have not yet determined the identity of the hackers. An investigation into the incident traced the ransomware to computer connections in several countries, including Brazil and the Netherlands, but it's not clear whether the attacks originated there, Davis reports.

    The immediate response

    ECMC shut down its computer systems within an hour and a half of receiving the ransom demand messages. By 5:30 a.m., ECMC was in touch with GreyCastle.

    One of ECMC's first decisions, made with the advice of GreyCastle and law enforcement, was not to pay the ransom, Davis reports.

    Thomas Quatroche, president and CEO of the hospital, said the decision about whether to pay ransom is a "very individual thing." He added, "If you have no backup, you have no choice."

    But in ECMC's case, they did have a backup, and they also had access to a regional health information exchange that allowed clinicians to see patient records that existed up until the date of the attack.

    Going low-tech to maintain care

    As a Level 1 trauma center that draws about 80 percent of its admissions from the ED, ECMC focused on keeping the ED open—and it never had to divert patients, Davis reports.

    To keep operations running, ECMC immediately returned to using paper charts and in-person messaging. Clinicians used light boxes rather than computer screens to view X-rays, and clerical staff hand delivered reports and samples to and from the lab. Veteran physicians dug up unused paper prescription pads, and the system ordered stamps for other doctors to use on plain prescription pads.

    On April 10, the day after the attack, the system began to obtain and distribute laptops, beginning with the ED and critical care department. The system also established wireless hot spots in its facilities so staff could access the internet.

    On April 19, the system began cleaning out and re-distributing the more than 6,000 computers that had been affected by the attack. Again, ECMC prioritized the ED and critical care departments. The re-distributed computers operated in view-only mode.

    Ransomware incident response: Managing in minutes

    On May 5, physicians could once again upload progress notes into the system's EHR, and nurses in the ED were again able to use electronic documentation. Between May 8 and 10, staff were able to begin placing computer orders, enabling doctors to communicate with radiology, the lab, and other departments. By May 12, ECMC's electronic prescribing was back online.

    Last week, the system said most of its systems would be running normally within a few more days. However, ECMC officials said there is more work to do to bring the system's outpatient clinics fully back online.

    Global ransomware attacks struck some US health care companies too, feds say

    A well-prepared system

    ECMC has a protocol for responding to computer problems and conducts regular practice drills—preparation that was crucial after the attack, according to Jennifer Pugh, associate chief of service for emergency medicine.

    "One of the key things that got us through this is we have a plan in place and we practiced," she said.

    Harnish also praised ECMC's response to the situation. "They quickly identified the issue and escalated. That was important," Harnish said. "They had done disaster preparedness. There was muscle memory, and people worked well as a team to deal with this instead of finger-pointing."

    Quatroche added, "Our people were tested, and it blew me away. They have been resourceful, and have rallied around each other and the patients." In fact, he said the system also found a "silver lining" in the attack: "We learned that having administrators do rounding through the hospital is something we need to do more of in the future."

    However, despite ECMC's preparation, Quatroche said one of his takeaways from the experience is that health care providers like ECMC need to change how they think about cybersecurity. "What's happening is a form of terrorism like an attack on critical infrastructure," he said. "It's a call to action to view cybersecurity the way we do law enforcement, to raise the profile of the issue."

    According to Quatroche, ECMC plans to tighten internet access from the facility (Pugh, Buffalo News, 5/20).

    What's happening in the world of health IT

    Few health care transformation strategies are possible without technology and IT systems. Health Care IT Advisor is here to help you achieve organizational goals and address your critical IT-related issues.

    Join us on June 8 for a quick 30-minute webconference on best practices for IT challenges.

    Register for the Webconference

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.