In July 2019, Springhill Medical Center in Mobile, AL, suffered an eight-day ransomware attack that left medical equipment and patient records largely inaccessible.
During this attack on July 17, Teiranni Kidd gave birth to her daughter, Nicko Silar. A reduced labor and delivery staff, a compromised hospital network, and impaired monitoring equipment prevented the delivery of normal alerts on patient and fetal status to the nurses’ station down the hall. These alerts normally would have led to a Cesarean delivery of this baby, who was born with the umbilical cord wrapped around her neck, but the medical team proceeded with a natural childbirth, unaware of the fetal distress. By the time the baby was delivered, she had suffered severe brain damage that would ultimately lead to her death several months later. Perhaps most tragically, the Ob/Gyn obtained the fetal monitor readout afterwards and subsequently texted the nurse in charge that she indeed would have performed a Cesarean had she understood the situation fully. Furthermore, both the hospital and the medical team failed to inform the patient of the ransomware attack, and each entity blamed the other for the resulting tragedy. Kidd filed a lawsuit in 2021 against both the hospital and Ob/Gyn for an undisclosed amount, and the case is still pending.
This case and the events leading to it present several good lessons and warnings for healthcare organizations.
The ransomware attack had been ongoing for a number of days before Ms. Kidd arrived at the hospital. How robust was the hospital’s network security? Had Springhill invested in advanced IT systems and personnel that created regular backups, installed patches quickly, and deployed the latest tools on all devices? Did they train staff to recognize phishing emails and utilize multi-factor authentication? Did they take HIPAA compliance seriously, and were they making continuous efforts to improve adherence? Or, perhaps they took security and compliance very seriously and were thorough in their security protocols, and ultimately…the bad guys still breached their system.
Once the hospital realized that it had been breached, did it have an incident response/disaster recovery plan in place that specified procedures for every staff member?
Was staff aware of and trained for these alternate procedures? Were backup files easily obtained? Did hospital administration notify patients fully, and did they describe any subsequent reduction in services?
Ultimately, the answers to these questions will play a decisive role in the outcome of this case. If the hospital is able to prove that robust security protections were in place, following a HIPAA compliance framework, and a ransomware attack occurred anyway, the judgment against them may be less severe. If hospital staff had a written emergency plan, their defense will be strengthened as well.
A comprehensive HIPAA compliance strategy, including robust cybersecurity, is the healthcare provider’s best defense against an attack.
If an attack occurs (and even the most advanced security cannot protect your network 100% of the time), a detailed plan for every function in the business is essential to maintaining quality of care and business continuity, not to mention that it is a compliance requirement.
Click HERE to download our helpful HIPAA Compliance Checklist today, and take steps to ensure your healthcare business is protected.