Under Attack

Karen Hunter, System Director II, Nursing Informatics at CommonSpirit Health

December 20, 2022 — My colleague and friend Karen Hunter, an informatics nurse and director at CommonSpirit Health, America’s second-largest non-profit healthcare chain, spoke with me about how her work was hugely impacted by a recent cyber attack. (Becker describes it here and here.) Their computers were immobilized. 620,000 patient records were stolen. For Karen on the front lines it was a nightmare.

Even on a normal day, the job of the informatics nurse is challenging. Typical activities include implementing and troubleshooting data systems, and supporting the clinicians who use them. They round and do check-ins, fine-tuning clinical workflows. New employees are onboarded and trained. EHR governance policies are considered and applied. Workflow changes especially during Covid are designed and deployed. Regulatory changes drive documentation changes which must be supported by data systems. When service lines are added (e.g. Karen’s organization recently added a new line of neurology offerings) these, too, must be supported. New systems builds are tested and rolled out. The job is complex and demanding.

But this was no normal day. When IT realized their systems — ten EHRs, payroll, and others — had been attacked, they took them off line to protect them and assess the damage. Meanwhile, of course, patients continued to need care. Informatics nurses functioned as runners, creating on paper the documentation needed in the various areas of clinical practice. A big one, CPOE (computerized provider order entry) — the essential step that initiates most clinical procedures — was disabled. It, too, was reproduced on paper.

The recovery process was supported by all the vendors. The FBI was summoned. Manual methods were substituted according to outage protocols that had been proactively designed to keep the hospitals running when the computers go down. Recovery was accomplished as quickly as possible. But those protocols were designed for outages of hours. It took four weeks.

During that time, charting and billing limped along on paper. When the systems came back to life, under the existing protocols, the data backlog would be entered and caught up. But after four weeks, that no longer made sense. It would have had unpredictable effects. Data must be entered in a specific sequence. For example, the revenue cycle was disrupted. Every bill starts with an order (CPOE). Later, results — for example, from lab tests — are entered. What if a lab test result was entered before the order was entered? It would be kicked out as an error. No bill would be issued.

Not only billing was disrupted; so were workflows. The labels on the test tubes had to be handwritten; barcode stickers weren’t printed when the systems were down. Sometimes RNs couldn’t read them. Neither could the machines. Quality assurance processes — usually automated — were disabled. Background processes such as confirming correct handling of chronic conditions like diabetes were also disrupted. So was patient identification. Ordinarily, tracking of patients as they move through the system (e.g. from ED to ICU) is done in sequence. This was no longer possible as each department entered its own data from the weeks of paper records and thus the systems received it out of order, defying the logic built into the software.

And it got worse. Average length of stay (LOS) is four days. How many patients cycled through during the four weeks the systems were down? Many! Was all the data collected and entered so that processing could proceed? Unlikely.

Near to my heart as a med/surg nurse is medication administration. The normal procedure relies on barcodes — we scan the med and the patient’s wristband. If there’s an error (remember the “five rights”? right patient, med, dose, time, and route), we’re warned. We nurses haven’t done it without the computer confirmation in more than a decade. We’ve forgotten how. It’s frightening. The potential for errors is suddenly like it was in the bad old days. To protect their licenses (remember Radonda?) some nurses stayed home, magnifying the difficulty.

Heroic effort by many eventually brought the systems back to life. It was painful but much was learned. Future attacks are inevitable but they will be better withstood.

Go cyber-savvy informatics nurses!


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.