Critical Infrastructure Security
Suit Alleges Inability to Access Critical Fetal Monitoring Data Was Malpractice
The death of a baby born with complications during a 2019 ransomware attack on a Mobile, Alabama hospital – one that left clinicians unable to access electronic health records and patient monitoring systems- is intensifying the spotlight on the potentially fatal consequences of such cyber incidents.
See Also: Marching Orders: Understanding and Meeting the Biden Administration’s New Cybersecurity Standards
The medical malpractice lawsuit, potentially the first in the U.S. alleging a death tied to a hospital ransomware attack, is a stark example of what some experts have been fearfully warning about in recent months.
On Friday, the Cybersecurity and Infrastructure Security Agency issued a report examining the impact of ransomware and other cyberattacks on the healthcare sector entities during the pandemic.
“Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” the report says.
The findings are a forewarning for the healthcare sector, CISA notes.
“As the U.S. enters the next phase of the pandemic, the nation’s capacity to provide medical care is facing unprecedented levels of strain,” says Joshua Corman, senior adviser for the healthcare sector at CISA, in a statement provided to Information Security Media Group.
CISA’s analysis shows how the strain hospitals are under affects patient care and outcomes, and cyberthreats can make those strains measurably worse, he says.
“The analysis shows the real-world impact cyberthreats can have on patients and the nation’s critical workers and functions, and should remind all critical infrastructure stakeholders to do their parts to manage these risks – including the importance of implementing strong cybersecurity and resilience measures to protect their operations.”
Also, a study released last week by research firm Ponemon Institute and cybersecurity risk management firm Censinet, found that 22% of the respondents – who were all IT and security professionals at healthcare delivery organizations experiencing ransomware attacks – believe the incidents resulted in an increase in patient mortality.
Even higher percentages reported other effects on patient care, including an increase in complications, delays in procedures and tests, longer hospital stays, and diversion of patients to other facilities.
“We are in the top of the first inning as it relates to ransomware attacks in healthcare” says Ed Gaudet, CEO of Censinet.
“As an industry, we must continue to have the courage to ask the hard questions about the impact to care and mortality rates, provide the right level of regulatory oversight, and drive investments to eradicate ransomware from healthcare.”
The lawsuit against Springhill Medical Center and one of its physicians was filed in a Mobile County circuit court by the baby’s mother, Teiranni Kidd, in January 2020 and was updated in April 2020 – after the child died, allegedly from her birth complications. The case is slated for trial in November 2022.
The lawsuit alleges that Kidd was unaware the hospital was in the midst of a ransomware attack when she was admitted on July 16, 2019. Kidd’s daughter, Nicko Silar, was born at the hospital on July 17 with her umbilical cord tied around her neck, suffering severe brain damage and other complications.
Lack of Monitoring Data
The complaint alleges, among other claims, that Kidd’s clinicians did not have timely access to the baby’s fetal monitoring results that showed the baby was in distress, and which should have prompted an emergency Caesarean section to deliver the baby safely. That procedure was not performed.
“The only fetal tracing that was available to healthcare providers during Teiranni’s admission was the paper record at her bedside,” the lawsuit alleges.
“Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses’ station or by any physician or other healthcare provider who was not physically present in Teiranni’s labor and delivery room,” the complaint says.
“As a result the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated.”
Following the birth, the baby was transferred to a children’s hospital, where she spent months in the neonatal intensive care unit.
“Nicko was profoundly brain-injured, required frequent oxygen supplementation, fed through a gastrointestinal tube, and needed medication administration around the clock,” the lawsuit claims.
Lack of Transparency
The lawsuit also alleges that Springhill Medical Center “intentionally or negligently withheld and wrongfully concealed and suppressed” critical factual information to the general public that its hospital operations and patient safety were severely compromised by the impact of the July 2019 cyberattack.
Springhill Medical Center failed “to reveal the true facts related to the cyberattack and its effect on the hospital’s ability to provide patient services for the benefit of the hospital and to the detriment of [Kidd and her baby] and the general public,” the lawsuit claims.
“Organizations have become so used to IT fixing things or getting things back up and running in short order that they don’t really plan for complete loss, or long-term loss, or corruption of systems, services or data.”
—Mac McMillan, CynergisTek
“As a proximate consequence of the fraudulent non-disclosure … [Kidd’s baby] was caused to suffer personal injuries and general damages, including permanent injury, from which she died on April 16, 2020,” the lawsuit alleges.
Springhill Medical Center did not immediately respond to ISMG’s request for comment.
Business Continuity Challenges
Many hospitals and other healthcare systems that suffer ransomware incidents – and the inability to access electronic health record and other critical clinical systems – often attempt to continue serving patients with continuity plans that involve clinicians resorting back to manual processes and paper charts.
But many entities misjudge the extent of the potential impact of these incidents on clinicians and patients.
“The failure starts with too many healthcare organizations continuing to underestimate the importance of assuring the confidentiality, integrity, and availability of all data, systems, and devices that create, receive, maintain, or transmit electronic protected health information – a foundational requirement of the HIPAA security rule and, frankly, a fiduciary responsibility of the hospital C-suite and board,” says Bob Chaput, founder and executive chairman of privacy and security consulting firm Clearwater.
“This lawsuit happens to be about a serious compromise of availability of all three – critical data, systems, and devices – resulting in this devastating death,” he says.
Organizations need to conduct a business impact assessment to prioritize clinical processes and the underlying data, systems, and devices that enable those clinical processes, he says. “Good business continuity plans provide resilience and minimize ‘hobbling’ during attacks.”
Mac McMillan, CEO of privacy and security consulting firm CynergisTek, says readiness from a business continuity perspective is an area in which many organizations, including healthcare institutions, struggle.
“Organizations have become so used to IT fixing things or getting things back up and running in short order that they don’t really plan for complete loss, or long-term loss, or corruption of systems, services or data,” he says.
The Springhill Medical Center incident occurred in 2019, prior to the COVID-19 pandemic. But now hospitals are under even more pressure to resume and continue patient care services as quickly as possible following a ransomware attack, even while the threats from attackers surge.
“I think they try to continue to care for their patients as best they can, hoping IT is going to pull through for them,” McMillan says. But if they continue to struggle after a period of time following an incident, entities should make the call to divert patients elsewhere before safety is affected, he says.
“This is a very tough experience for these institutions. And when you consider the pandemic and our overall bed occupancy rates now, diversion may not even be a viable or easy option.”
Gaudet suggests that healthcare sector entities must do a better job of not only responding to ransomware attacks when they happens but also in regularly updating their disaster recovery and business continuity plans and operations.
“Regulatory agencies such as the Joint Commission and hospitals must add cybersecurity exercises such as ransomware attacks to their Exercise and Evaluation Cycle under the organization’s Emergency Management Program,” he says.
“Hospitals must be prepared to respond to these attacks which can create significant stressors to care delivery. Ransomware disaster drills would allow hospitals to test response capabilities to these emergencies in real time.”
The incident at Springhill Medical Center is not the first one alleging that a patient death was linked to a ransomware attack on a hospital.
For instance, last year, the death of a German patient who had emergency care delayed due to a September 2020 ransomware attack affecting University Hospital Düsseldorf was alleged – but later determined not – to be directly linked to the incident.