On November 11, 2021, a southern Ohio medical center became the victim of a cyberattack, which forced the medical center into emergency electronic health record (EHR) downtime procedures. As the EHR outages continued, the medical center was forced to divert ambulances and cancel patient appointments.
An official from the medical center explained that an unauthorized third-party had gained access to their computer servers. The attack may have been a targeted cyberattack. The medical center official also stated during the attack, “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible.”
Patients with canceled appointments were being contacted directly by medical center staff. The cyberattack led to appointments being canceled the following day, including outpatient medical imaging, cancer care services, cardiovascular testing, cardiac catheterization, outpatient surgery, and outpatient rehab, as well as appointments at its medical care foundation office.
Issue:
Historically, an increased number of episodes of cyberattacks occur during holidays or holiday weekends, when the bad actors take advantage of perhaps a more relaxed mode of cybersecurity in nursing facilities. Nursing facility leaders and the Privacy Officer must collaborate with the IT department to ensure that sensitive data housed within the computer system is adequately protected. All staff that have access to the computer network should be trained on best practices in preventing data breaches, and what they must do to assist in the prevention of these breaches. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to prevent data breaches. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches.
