On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients.
According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, Meditech (CRMC’s EHR vendor) shut down the EHR system until the attack is resolved, although CRMC maintains that there is no indication that patient information has been breached. CRMC has engaged a cyber forensics firm to investigate the attack, and restoration of the EHR is pending the results of that investigation. As of July 10, CRMC estimated that restoration of its systems was 50 percent complete, and its EHR remained offline. As a precautionary measure, CRMC also diverted ambulances carrying trauma and stroke patients to other facilities to assure “optimal care” for such patients.
The attack on CRMC demonstrates the significant risks to hospitals and health systems posed by ransomware attacks, which risks are exacerbated by such organizations’ heavy reliance on EHR systems. The proliferation of ransomware attacks targeting health care organizations (and the valuable data held by such organizations) highlights the need to proactively address data security systems and breach-response procedures to reduce the risk of attacks and to enable organizations to respond quickly and (hopefully) limit the damage caused in the event of an attack.
For more information on ransomware attacks, please see previous Data Privacy and Security Insider posts here.