In more than a dozen states, doctors and nurses have resorted to paper, handwritten treatment orders to track patients' illnesses and monitor them, unable to access the detailed medical histories that have long been available only through computerized records.
Patients have waited long periods in emergency rooms and their treatments have been delayed as lab results and readings from machines like MRIs are ferried through makeshift efforts lacking the speed of electronic uploads.
For more than two weeks, thousands of medical staff have switched to manual methods after a cyber attack on Ascension, one of the nation's largest health systems with about 140 hospitals in 19 states and the District of Columbia.
The large-scale attack on May 8 was eerily reminiscent of the hack of Change Healthcare, a unit of the UnitedHealth group that operates the nation's largest healthcare payment system. The assault blocked Change's digital billing and payment pathways, leaving hospitals, doctors and pharmacists without the ability to communicate with health insurers for weeks. Patients were unable to fill prescriptions and providers could not be paid for care.
While some previous cyberattacks have targeted a single hospital or smaller medical networks, the collapse of Change, which manages a third of all U.S. medical records, underlined the dangers of consolidation when one entity becomes so essential to the system national healthcare.
Ascension systems remain down indefinitely, but doctors and nurses are working to find ways to gain access to some information about patients' medical history by examining medical records kept by other providers. Ascension is also telling doctors and nurses that they will soon be able to see existing digital records.
“It's a huge inconvenience for everyone involved,” said Kristine Kittelson, a nurse at Ascension Seton Medical Center in Austin, Texas, who is a member of the National Nurses United union.
The Ascension attack had as widespread an impact as the Change attack, with some hospitals in Indiana, Michigan and elsewhere diverting ambulances. Ascension hospitals handle approximately three million emergency room visits per year and perform nearly 600,000 surgeries.
Like Change, Ascension was also the target of a ransomware attack, and the hospital group says it is cooperating with federal law enforcement. According to reports, the attack is the work of a group known as Black Basta, which may be linked to Russian-speaking cybercriminals.
There are fears that hackers could leak private medical information, and patients have already begun filing federal lawsuits against Ascension saying it didn't do enough to safeguard their data.
Large healthcare organizations have increasingly become a prime target for cybercriminals, intent on creating as much chaos as possible on a vital part of US infrastructure. “This is something that will happen again and again,” said Steve Cagle, chief executive of Clearwater, a healthcare compliance firm.
With an extensive network of hospitals and clinics, large organizations have not yet identified where they are vulnerable and how to minimize the disruption of a major attack. The industry “never planned for something like this,” Cagle said.
As Ascension continues to treat patients, the danger of losing pieces of a patient's story is palpable. In interviews, doctors and nurses outlined threats to patient care: people may not remember what medications they are taking; Previous visits may be omitted as well as the results of previous procedures or tests.
In Austin, Ms. Kittelson said she had to search through dozens of pieces of paper to find out what medications a doctor might order or to find anything about the patient's status. “I'm worried about the charts,” she said, noting that she had painstakingly recorded a patient's condition and treatment by hand.
And many of the routine protections have not been available. Nurses couldn't scan a patient's medication and wristband to ensure the right patient received the right medication, increasing the chances of a medication error. And they have become much less certain that doctors have received important updates on a patient's status.
“Our big problem is that the cyberattack has crippled the nurses,” said Lisa Watson, a union nurse at Ascension Hospital in Wichita, Kan. She has noticed that the workload has increased significantly.
“This is much more than the old paper charts,” Ms. Watson said. Nurses had to write prescriptions and other treatments on separate forms intended for different departments. Instead of receiving immediate alerts on a computer, a nurse may not see a new lab result for hours.
On Tuesday, Ascension said it is “making progress in both restoring operations and reconnecting our partners to the network,” and some nurses say they may soon have limited access to older data. But Ascension offered no timeline for restoring full digital access, saying in an emailed statement just Tuesday evening that “it will take time to return to normal operations.”
Few providers were willing to publicly discuss the extent of the damage caused by ransomware attacks, in many states and medical departments. The devastation has yet to be fully assessed and Ascension is intent on keeping as many operations open as possible.
Union nurses say the cyberattack has worsened staffing shortages. The issue has dogged working relations with Ascension, although the company has denied it. Wichita nurses recently clashed with hospital management over whether there were too few nurses in the intensive care unit.
“Despite the challenges posed by the recent ransomware attack, patient safety continues to be our top priority,” Ascension said in an emailed statement. “Our dedicated doctors, nurses and care teams are demonstrating incredible focus and resilience as we utilize manual and paper-based systems during the continued disruption to normal systems.”
“Our support teams are well-versed in dynamic situations and are adequately trained to maintain high-quality care during downtime,” he added. “Our leadership, physicians, care teams and collaborators are working to ensure patient care continues with little to no disruption.”
Ascension said it will tell patients if they may need to reschedule an appointment or procedure. The organization has not yet determined whether sensitive patient data was compromised and is referring the public to its website for updates.
The risks of cyberattacks to patient care have been well documented. Studies have shown that hospital mortality increases after an attack and the effects can be felt even in nearby hospitals, lowering the quality of care in hospitals forced to admit additional patients.
An additional concern is whether sensitive patient information has been compromised and who should be held responsible. In the wake of the attack on Change, doctors are pushing US government health officials to make clear that Change has a responsibility to alert patients. According to a letter from the American Medical Association and other medical groups earlier this week, doctors urged officials to “publicly state that the investigation into the breach and immediate remediation efforts will focus on Change Healthcare and not on suppliers affected by the Change Healthcare breach. “
These types of ransomware attacks have become increasingly common, as cybercriminals, often backed by criminals with ties to foreign states like Russia or China, have determined how profitable and disruptive it can be to target large healthcare organizations. UnitedHealth CEO Andrew Witty recently told Congress that the company paid $22 million in ransoms to cybercriminals.
The attack on Change has drawn much more government attention to the problem. The White House and federal agencies have held several meetings with industry officials, and Congress asked Witty to appear earlier this month to discuss the hack in detail. Many lawmakers have pointed to the growing size of health care organizations as one reason why the nation's delivery of medical care to millions of Americans has become increasingly vulnerable.
Cybersecurity experts say hospitals have no choice but to shut down their systems if a hacker manages to get in. As criminals infiltrate the entire computer system, “hospitals have no choice but to turn to paper,” said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, which he described as a neighborhood watch virtual for industry.
He said it would be unrealistic to expect a hospital to have redundant systems in the event of a ransomware or malware attack. “It's simply not possible and feasible in this economic environment,” Weiss said.