, Healthcare , Industry Specific
Medical Staff Says Resorting to Manual, Paper Charting Is Posing Risks to Patients Marianne Kolbasuk McGee (HealthInfoSec) • May 28, 2024
A local union representing medical professionals at an Ascension hospital in Michigan is demanding the organization take actions to protect patient safety in the wake of a May 8 cyberattack that took out electronic health records and other IT systems, forcing clinicians to use time-intensive manual processes and paper charts.
See Also: Value Drivers for an ASM Program
As of Tuesday, the petition by Office and Professional Employees International Union Local 40 in Macomb Township, Michigan, had been signed by 116 nurses, radiological technologists and other medical professionals who work at Ascension Providence Rochester Hospital - a 290-bed, full-service hospital with a level III trauma center and 24/7 emergency department in Rochester, Michigan.
"We, the members of Local 40 at Ascension Providence Rochester Hospital, are deeply concerned about the current challenges faced by our healthcare professionals due to the cyber hack incident and subsequent lack of access to patients' electronic medical records," the petition says.
"In light of these circ*mstances, we demand that immediate safety precautions be implemented to ensure the well-being of both our members and the patients under our care."
With EHRs and other clinical systems still offline at many Ascension facilities across multiple states, nurses and other medical staff have had to rely on paper charts and other manual processes that they contend pose an array of potential safety risks from critical information about individual patients and their medical conditions and care needs being inaccessible, missed, lost or not communicated.
Measures the union is petitioning Ascension to implement at its Providence Rochester Hospital include:
- "Unit shift huddles" to ensure effective communication, coordination and information sharing among healthcare professionals regarding patient care, safety protocols and any emerging issues;
- Training sessions for staff on how to navigate the array of challenges in providing care without access to electronic medical records;
- Weekly progress reports from Ascension leadership to update staff members on the status of efforts to resolve the cyber incident, restore access to electronic medical records, and address safety concerns or staffing issues;
- Setting a maximum of four patients per nurse until the IT outage is fully resolved;
- Temporarily reducing elective surgeries and nonemergency admissions to alleviate the strain on resources.
"These safety precautions are essential to safeguarding the well-being of both our members and the patients we serve during this challenging time," the petition says. "It is imperative that the hospital administration takes immediate action to address these concerns and prioritize the safety and quality of care for all individuals involved."
Local 40 leaders did not immediately respond to Information Security Media Group's requests for comment about the petition and for additional details about the union's concerns regarding the Ascension hack and IT outage.
An Ascension spokesperson in a statement to ISMG said the organization "continues to work around the clock with industry-leading cybersecurity experts to safely restore operations" across its network.
"We are hopeful that our patients and clinicians will soon see progress this week across our points of care. Many of our vendors and partners have also started the process of reconnecting to our network and resuming services with Ascension, which should help to accelerate our overall recovery," the spokesperson said.
"Despite the challenges posed by the recent ransomware attack, patient safety continues to be our utmost priority. We are grateful to our dedicated clinicians and care teams who are providing care under challenging circ*mstances. The compassion and resilience they have displayed throughout this event is truly remarkable and is emblematic of Ascension's mission to improve the health of the individuals and communities we serve."
Ascension - a Missouri-based, nonprofit, Catholic healthcare system with 140 hospitals and 40 senior care facilities in 19 states - continues to post on its website periodic updates to the public about the status of recovery from its May 8 cyberattack, including on a regional basis (see: Impact of Ascension's Cyberattack Outage Varies by Region).
As of Tuesday, systems that are still unavailable include some electronic health records systems, patient portals, phone systems and various systems used to order certain tests, procedures and medications, depending upon region.
Ascension's latest update on May 24 for the Michigan region - home to Ascension Providence Rochester Hospital - said that all hospitals, physician offices and care sites across the state remain open and operational.
"Our dedicated doctors, nurses and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper based systems during the ongoing disruption to normal systems," the update said.
Sources familiar with the Ascension investigation said Russian-speaking ransomware-as-a-service group Black Basta was behind the attack. Ascension has not responded to a request for comment on Black Basta.
Critical Considerations
Josh Corman, founder of the grassroots patient safety advocacy I am The Cavalry and former healthcare sector chief strategist at CISA, told ISMG the union's petition is "stunning" and that the concepts behind their demands are critical for the entire healthcare sector to consider.
For instance, he said, technology such as EHRs and remote patient monitoring have been "force multipliers" in giving clinicians the ability to safely provide care for more individual patients during a shift. But when those types of technologies are suddenly unavailable during a cyberattack, that becomes a "force divider," meaning that clinicians can only safely handle fewer patients.
"One size doesn't fit all in terms of ratios, but this is certainly an important consideration and concept for standards of care - and how staff-to-patient ratios should be adjusted in a cyber incident," he said.
Corman also said the union's demand for training of clinical staff in dealing with the cyber outage is a critically important consideration for all healthcare sector entities - especially before an event. "We need to make these kinds of regular cyber drills for clinical staff - in advance of a cyberattack - mandatory," he said.
Russell Teague, CISO at security firm Fortified Health Security, said entities need to focus more in advance on the patient safety and operational issues that arise when a cyberattack knocks IT systems offline for any length of time.
"Regardless of the cause for the disruption, we all must be prepared to deliver safe patient care during the times when IT systems are down," he said.
"When those systems are no longer available, you must ensure your staff is trained regularly on downtime procedures and they are comfortable operating in those conditions for more than an hour or two. They need to be ready to support downtime procedures for days, weeks and possibly months."
