Hospitals Use Low-Tech Defense for High-Tech Attacks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alex Ruoff

Aug. 3 — Boston Children's Hospital has two types of crash carts: one for when a patient suffers a potentially fatal condition and another for when the hospital's information technology systems stop working.

The latter is called a downtime cart and holds all the paper forms and directions doctors and nurses need to do their jobs if the hospital's electronic health record system goes down. Boston Children's electronic health records system is used across the hospital to track patient care, register patients and order medications.

Downtime carts and other low-tech replacements for health IT tools are becoming crucial as hospitals face new threats from cybercriminals that have the potential to shut down information networks, hospital executives told Bloomberg BNA. Hospitals are growing increasingly reliant on their IT systems to support their everyday operations, from record keeping to medication ordering and tracking laboratory results, but hospital staff must also face the reality that those systems can and do fail.

“Hospitals are starting to recognize that this is something they need to plan for,” Dan Nigrin, chief information officer for Boston Children's Hospital, told Bloomberg BNA. “We're moving to automate more processes to realize efficiencies, so there's real risk if those systems are taken away.”

IT downtime is a reality for any organization regardless of industry, Charles Christian, vice president of technology and engagement for the Indiana Health Information Exchange, told Bloomberg BNA. Normally, hardware systems such as servers are shut down for repair or software must be taken offline for updates during slow periods with little interruption, he said.

However, nearly 60 percent of hospitals that participated in the federal meaningful use incentive program reported an unplanned disruption in their record systems between 2014 and 2015, according to a recent HHS Office of Inspector General report.

Roughly a quarter of hospitals that lost access to their health records said the event delayed patient care, the report said. Most of those disruptions were caused by hardware failures, not hacking incidents.

But hospitals are increasingly facing directed cyberattacks, such as ransomware attacks, that are designed to disable their IT and health record systems.

The HHS IG found that 20 percent of unplanned downtimes at hospitals lasted more than eight hours. Of those downtimes, 15 percent resulted in rerouted patient care and 1 percent resulted in a loss of records.

No data breaches resulted from those downtimes, according to the hospitals.

Protecting IT Systems

Hospital executives and technical personnel have sought to protect their IT systems from natural disasters or other predictable incidents, Christian said.

Many larger hospitals or hospital systems have their own hardened data centers to ensure staff can always access their IT networks, he said. These organizations have redundant hardware to ensure an accidentally cut wire or faulty server can't alone crash their network, Christian said.

Most hospitals also know to regularly back up their clinical data to ensure patient data isn't easily lost, Christian said. Half of the hospitals contacted by the IG said they had backup systems in place in case of an EHR system disruption.

However, smaller hospitals and critical access hospitals—facilities with fewer than 25 inpatient beds that are typically the only local emergency care—can't afford these backup systems, he said. Most are reliant on the company that sold them their EHR system to protect their data and keep their computers online.

To contact the reporter on this story: Alex Ruoff in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security