Call Us: (800) 500-1332
Risk Management Tip

Cyberattacks Threaten Patient Safety

By Robin Diamond, MSN, JD, RN, Senior Vice President of Patient Safety and Risk Management, The Doctors Company  

The recent WannaCry ransomware attack that crippled the United Kingdom’s National Health Service (NHS) showed how more than money and IT security are at risk—patient safety is also compromised by a cyberattack.

After WannaCry, I asked myself: Would physicians and hospital staff know how to respond to protect patient safety if all computer access suddenly vanished? So I reached out to experts to share their concerns as well as their plans to protect patients.

Some physicians have considered the potential danger and prepared a response, which is often a return to paper records when EHR systems go down. But that might not always be easy, or even possible.

This is why Marcus Tower, MD, director of gynecology at Hillcrest Hospital (part of the Cleveland Clinic Health System), always keeps a paper backup of patient records that can be accessed quickly in the event of a computer failure. While he said losing access to computer records would be devastating to patient safety, access to paper backups would enable him to continue seeing patients even if his system was offline. Without a computer system, Dr. Tower would keep notes with time stamps.

Anesthesiologist Randolph Steadman, MD, MS, at the University of California, Los Angeles, said in case of computer failure, ordering labs, imaging, and other diagnostic tests would be done by paper form and transmitted within the hospital by fax and/or conveyed by phone with paper forms to follow. But that would only be a workaround. Patient care overall would be affected, with registration slowed, he noted. Many clinicians and staff would be challenged to adapt to non-digital processes.

The ER could be hit hard by a cyberattack, but the physicians and staff there might be best prepared to respond, says Roneet Lev, MD, FACEP, chief of emergency medicine at Scripps Mercy Hospital in San Diego, California, and president of the Independent Emergency Physicians Consortium.

“Emergency departments have all experienced downtime with computer systems,” Dr. Lev said. “At our facility, we call this ‘Code White.’ When we hear ‘Code White’ on the speaker system, we know to get out the white board and the markers, and that things will be slower. It’s annoying and no one likes it, but we’d manage by keeping track of patients the old-fashioned way.”

Even so, a “Code White” still leaves clinicians without a way to refer to any medical records that are stored electronically.

Workarounds can only accomplish so much, Dr. Lev noted. A cyberattack could affect all computer-related hospital activities.

What these experts all seem to agree on is that in the face of an attack, the best way to protect patients is to return to practices that worked before computers.

As Ralph Gambardella, MD, orthopedic surgeon and president of the Kerlan-Jobe Orthopaedic Clinic (affiliated with Cedars-Sinai) in Los Angeles, so aptly stated: “Rather than relying on computers, I still believe that talking to—and communicating directly with—my patients is the best way to impact patient safety.”

Could Hackers Threaten the Future of Medical Devices?