Security

What Health Systems Can Learn From a Cyberattack on The Pitt

The show highlighted the real pain points many hospitals face during a downtime event.

Nelson Carreira is an Executive Healthcare Strategist for CDW.

In the most recent season of The Pitt on HBO Max, staff at the fictional Pittsburgh Trauma Medical Center make bets on why they’re receiving patients diverted from nearby Westbridge Hospital. Bets include flooding, a sinkhole, a power outage and even someone setting off fireworks in the bathroom (the season takes place on July 4). As it turns out, the culprit is something IT leaders are all too familiar with: a ransomware attack.

The Pitt is one of the most realistic medical shows on television, and the writers’ decision to include a ransomware attack further adds to that realism. Not only has ransomware become a major challenge for industries globally, but breaches are costliest for healthcare organizations. According to a recent IBM report, healthcare had the highest average breach cost for the 12th consecutive year at $7.42 million.

A successful ransomware attack can interfere with normal hospital operations, and if staffers don’t have a downtime plan in place, that cyberattack can have a negative effect on patient outcomes and patient trust. Having a well-rehearsed clinical care continuity plan can mean the difference between minimal interruption to patient care and having to close a hospital in the event of an attack.

So, how well did Pittsburgh Trauma Medical Center do when its network was taken offline, and what can real life healthcare organizations learn from the show?

DISCOVER: Ensure healthcare business continuity when IT fails.

How Did The Pitt’s Team Respond to an Unexpected Downtime Event?

In response to two nearby hospitals being hit with ransomware attacks, the hospital CEO walks into the emergency room to announce that the network will be taken offline to allow the IT team to prevent an attack and strengthen the hospital’s defenses. He reassures staff by saying, “Our IT protection system has blocked thousands of intrusion attempts in the hours since Westbridge was hit. IT believes we’re still vulnerable, so we’re going to preemptively shut down all the computer systems: patient registration, electronic health records, lab and radiology interfaces, email, internet.”

It happens almost immediately, with only enough time for a resident to get a blurry picture of the ER patient tracking board. As part of standard downtime procedures, hospitals should have a way to print that information to ensure they have a snapshot of each patient’s location and status. It was funny seeing the hospital rely on a photo, but such a scenario could become real if organizations aren’t prepared.

Veteran ER physicians and nurses quickly stepped in to set up paper charting procedures and fax machines while the newer staff waited for instruction. They designated runners to go to radiology and the pharmacy. Some staff members had clearly never practiced this scenario, which led to some confusion.

On The Pitt, the hospital was prepared in some cases and unprepared in others. It seemed like they hadn’t gone through a simulation in a very long time because they immediately turned to the oldest nurse, who runs the ER, to ask what to do. She contacted a retired nurse, who knew how to run the ER before today’s technology existed, to help set up paper charting processes. The fax machine didn’t work right away because they didn’t have the supplies to support it, and none of the younger doctors knew how to use it or even what it does.

Click the banner below to sign up for HealthTech’s weekly newsletter.

Rating The Pitt Staff’s Downtime Readiness

As far as a readiness score, Pittsburgh Trauma Medical Center was probably 60% ready for the downtime event. The management team knew what it would need, who to call and what resources to go after, but the staff had no clue what to do. They had never been through anything like this.

Younger physicians were not prepared for the loss of technology. The episode featured a clinical case in which a woman went into cardiac arrest because she wasn’t diagnosed properly. The team was waiting on lab results that weren’t requested correctly, creating a major delay.

Timing is critical in many cases. Every second matters, especially for stroke victims. If there’s no way to quickly get them into a CT scan or to communicate the need for fast results, it could lead to loss of life. The Pitt showcased why having systems, testing and checklists in place is necessary to ensure downtime procedures are second nature.

Unfortunately, this is a realistic scenario. And it’s going to happen if there are clinicians who have always relied on technology alone for patient safety checks lose access to those tools.

How Healthcare Organizations Can Ensure Clinical Care Resilience

To be truly prepared, healthcare organizations should go through all of the different components that will be affected during a downtime event, including supply chain, people preparedness and technology needs. You must factor it all into your preparations.

We spoke to clinicians at a health system in South Carolina about how well they could handle another situation like the CrowdStrike outage. The head of endoscopy, a seasoned clinician, said, “Bring it. It’s time these kids know what it’s like to really practice medicine — how we were trained.” When asked the same question, a junior nurse in the neonatal ICU said, “I’d become an actuary and retire from this healthcare gig.”

There’s a clear divide because many people have become dependent on technology. However, no matter the makeup of its clinical staff, no hospital has perfected its downtime procedures. Some health systems are further along on their journey than others, but no hospital can go on autopilot when downtime occurs.

Cyber resilience involves both IT and clinical aspects. From an IT perspective at CDW, we talk with IT teams to ensure they’ve transitioned from the traditional disaster recovery model to a cyber recovery model, with automation that speeds recovery. The security components also need to be in place to ensure that when the hospital has returned to normal operations, it’s in a trustworthy state with no lingering infected systems.

We’ve seen traditional disaster recovery fail when the Tier 0 components that tie systems together do not resume normal operations. In another episode of The Pitt, there was a mention of even the HL7 connectivity going down, which was a cool callout because normally people forget about that aspect of downtime. However, it’s significant when it comes to making sure all systems are working and communicating.

When we talk to customers, it’s all about making sure the glue is in place that will keep operations together. Testing, tabletops and simulations should all be done frequently, putting the recovery processes through their paces.

What this translates to on the clinical resilience side is that the clinical teams should be preparing for all scenarios. They shouldn’t be waiting around for systems to be back up and running, because no one knows how long that will take. It could take weeks. In that case, what would the clinical team do? If team members are just waiting around, what will happen to their patients? Processes and tools need to be in place to keep patients safe. That includes clipboards, paper, pens and methods of communication.

Phones are one of the most critical tools for communication between departments. A fractional outage impacting the radiology department can have a huge trickle-down effect on the rest of the hospital, especially the ER. How do they communicate with the organization in that case?

How Partnership Supports Hospitals’ Clinical Care Resilience Efforts

A trusted technology partner such as CDW can help health systems determine how well their existing clinical care resilience and cyber resilience plans function and navigate the process of improving those plans to ensure patient safety and continued operations.

In addition to creating an overall resilience plan, we can also help healthcare organizations set up isolated recovery environments for Epic that minimize the impact of downtime. We can also discuss the introduction of 5G to make endpoints more resilient.

CDW has a full program dedicated to helping healthcare organizations achieve their downtime goals and clinical care resilience planning. Many organizations bring in the tools they think they need while forgetting about the people and processes that make up the foundation of a successful clinical care resilience plan. We help organizations create the foundation for a successful program.

This article is part of HealthTech’s MonITor blog series.