Hospital data securityIt was reported Monday that a hospital cyberattack on MedStar Health, a health system based in Washington DC and Maryland, has affected clinical care systems throughout their network of 10 hospitals and 200+ outpatient care centers.

According to the Washington Post, MedStar’s computer systems were affected by the hospital cyberattack on Monday that reportedly included a virus that has affected IT systems used across their health system. In response, MedStar shut down “all computer system interfaces” to prevent further spread, leading to care systems like electronic order entry and EHRs being taken offline. Even the WiFi was reportedly down at several institutions. Hospitals from Washington DC to Baltimore have been affected, including Georgetown and Washington Hospital Center, which are 600 and 900 bed hospitals respectively.

This news follows on a wave of cyberattacks on hospitals in the US, though most of those which have been reported recently have been on smaller hospitals. And while every single statement from these institutions says patient care was not affected thanks to quick deployment of paper backups for everything, we all know how difficult the “downtime procedures” make even the most basic clinical tasks. And as healthcare goes online, with more care delivered through virtual visits & improved patient self-management tools, events like this could reap even more chaos in the future.

The roots of these security vulnerabilities lie at all levels, from the individual clinicians using those systems to the way those systems are designed and integrated into the hospital. At the individual level, clicking on a baiting link, downloading an email attachment, or bringing an unsecured device onto the network could put the hospital IT system at risk. At the system level, there are all sorts of issues that vary by institution related to the way that the IT system is designed and operates which could create vulnerabilities. And that they’ve been on the radar for years before this recent spate of attacks raises some concern about how effectively they are being managed.

If this does turn out to be a ransomware attack on MedStar Health, which some media outlets are reporting though it remains unconfirmed, it would be one of the largest in the US to date. And unfortunately, it’s unlikely to be the last. Hopefully, it will serve as a wake up call too that, while we’ve been mandating reporting of a million different quality measures & implementing extraordinarily expensive EHRs, there are fundamental security issues that need equal attention (and funding).