A health information exchange in Western New York provided critical help after a recent ransomware attack on the Erie County Medical Center in Buffalo, N.Y., which crippled operations at the 602-bed hospital.
HEALTHeLINK, the regional HIE, enabled ECMC clinicians to access vitally important healthcare data while its electronic health record system was down in the hours, days and weeks after the devastating April 9 malware incident.
ECMC’s IT department detected the file-encrypting ransomware on that Sunday morning and, as a precautionary measure, shut down the hospital’s Meditech EHR, email and website, among other IT systems.
However, that caused problems for physicians and nurses in getting crucial health information to ensure the continuous and safe care of patients in the emergency department and other parts of the hospital. Confronted with an urgent need for data assistance, ECMC turned to HEALTHeLINK, resulting in unprecedented collaboration between the two organizations.
Launched in 2006, HEALTHeLINK is a collaborative effort among healthcare organizations in the area to share clinical information and make patient records available. According to Executive Director Daniel Porreca, ECMC was one of the first participants in the HIE and “has been very progressive” in its participation, even building an interface to HEALTHeLINK into their Meditech EHR.
“They were among the first that went live with that,” he adds. “It’s great from a process and workflow standpoint, but it’s not so great when the EHR is down.”
Within hours of the ransomware attack, HEALTHeLINK assisted ECMC with implementing an EHR workaround in which hospital staff used laptops with ad hoc Internet access to view patient records through a web-based portal connection to the HIE’s database.
“Very quickly, we had one of our staff on a call to reset passwords to enable access, and by early Sunday afternoon, we had one of our staff in the hospital working directly with providers as they set up laptops to get Internet access,” recounts Porreca. “By Monday morning, we had seven people onsite working in the areas where the laptops were being deployed and getting access to their own data via HEALTHeLINK.”
According to Porreca, because the hospital is an active participant in the HIE and had existing user accounts, ECMC’s clinicians were able to quickly access patient records that they would normally view through their EHR.
“Based on their involvement with us, ECMC was able to continue clinical operations almost immediately and to access their own data by using HEALTHeLINK,” he adds. “We were fortunate to be in a position where we could help.”
“If you asked me a few months ago what is the value of our organization, in my elevator speech business continuity would not have been one of the items—but it is now,” concludes Porreca. “There are some lessons out of this incident that other hospitals can learn from.”
One of those lessons, he says, is to have business continuity plans in place in the event of a cybersecurity crisis.
“We’re putting together a strategy to get out to our member hospitals and other provider organizations to relay that message,” Porreca adds. “We’re in the process of working with ECMC to document that so as to make our process more efficient. Something like this could happen to anybody. This is another reason why being a part of a community-wide HIE is a good thing.”