Imaging Informatics Exec: What It’s Like to Respond to a Ransomware Attack
Last fall, several U.S. hospitals were hit with ransomware attacks that crippled their IT systems for weeks. During a Jan. 28 webinar on cybersecurity in enterprise imaging, one executive described what it was like to try to respond when her health system was attacked several years ago.
Sylvia Devlin, IT manager for Radiology Clinical Operations and the eRadiology Center at Johns Hopkins Medicine in Baltimore, made clear at the outset that her experience with ransomware did not occur at Johns Hopkins but at a previous multi-hospital system where she used to work. She was speaking during a presentation put on by the Society for Imaging Informatics in Medicine (SIIM).
Several years ago, she said, a PACS administrator at one hospital called her at the corporate office early one morning and said the PACS was down. That happened sometimes and it usually ended up being innocuous. They contacted the vendor that supported the system. “I was oblivious to what was happening, until my boss stopped by and mentioned ransomware,” Devlin recalled. It turned out the entire enterprise had been compromised. “No one could log into anything. The blood drained from my head. I had a sense of disbelief,” she said. The health system shut down the EHR and e-mail to prevent spread. “At the corporate level, some of us went around unplugging computers and leaving notes for people on their desks telling them not to log in. There was not much else we could do at that point except wait for information from security team.”
The executive team had to use personal email accounts, texting and cell phones to communicate. They had no access to downtime procedures. “This was at a time when there was a big push to go paperless,” she said. “We had no access to the PACS contacts and contracts to see our support levels.” Most importantly, clinical work flow was disrupted at the hospitals. Without access to records, departments were not able to reach patients or view schedules for the day. Hospitals remained operational but very challenged. Seasoned nurses reverted to paper, and showed younger nurses how to revert to paper processes.
The attack severely impacted radiology and imaging workflow because they were so dependent on the PACS. To view patient imaging studies, they had to go to the imaging department and view them on the modalities. Some radiologists resurrected old micro cassette recorders.
Devlin did find a hard copy of downtime procedures, but they turned out to be four years old at that point many things had changed. She said the lesson learned is that it is critical to review downtime procedures and have hard copies available on-site and off-site.
Another challenge was dealing with vendors. When they heard about the ransomware attack, the PACS and applications vendors cut virtual ties with the health system. “Everyone in healthcare IT was pulling all-nighters to restore systems,” she said.
Most systems were operational by the end of the week. When enterprise IT security gave the all clear to fire up servers and workstations, all PACS systems appeared to be functioning except one at a community hospital.
Devlin went to help the local PACS administrator. The PACS was supported by the vendor by design, so they did not have much access to the back end. But during the ransomware, event, she was depended on to get into the back end and relay over the phone to the vendor what she saw.
Another challenge was that when they checked the PACS workstations used by radiologists, all 27 were infected. Because there was as yet no PACS to send images to, they had to determine if there was enough space on the modalities. Could they purge older images that they were confident made it to disaster recovery to free up space? “We had to contact vendors for ideas on how to retain those imaging studies,” she said.
Yet another challenge was that radiology was not the only imaging department that suffered. Cardiology and fetal assessment depended on radiology, and there were only two people in imaging informatics on site. It was difficult to find time to help other departments. The two-person PACS admin team was pulled in many directions to get departments back up.
Devlin said they had to try to find humor in whatever they could. “If we didn’t try to stay positive, we could have easily been overwhelmed,” she said. “There were moments where we were feeling completely overwhelmed by a fire hose of issues. There was lots of chocolate consumption to keep us going,” she said with a laugh. “It helped that the radiology director and radiologists were very supportive.”
In telling about this frightening experience, Devlin said she hoped attendees were able to hear things that might help them in their organizations.
During a panel discussion following Devlin’s talk, consultant Lou Lannum noted that many organizations do not have a map of their IT ecosystem. “Many have not taken the time to document everything that touches the network and the EMR,” he said. “But if you don’t, you don’t know where points of failure are and where you are at risk. It is not an easy task, but asset management is essential.”
Webinar moderator Matt Bishop, enterprise imaging architect for Unity Point Health, pointed attendees to a new NIST PACS cybersecurity paper.