MedStar Health Cyberattack: Treatment and Patient Safety Impact

by Kenneth N. Rashbaum

A ransomware attack forced the shutdown of MedStar Health computers and email systems on March 29,

The Washington Post reported. Nurses contended that the shutdown affected treatment and created patient safety issues.

The records and email systems were shut down after employees reported seeing pop-up messages on their screens demanding payment in bitcoin in exchange for a decryption key that would release data. A nurse at MedStar Washington Medical Center described the situation as “chaotic,” and added that clinicians could not access such vital information as medical history, medications prescribed and drug allergies. A doctor called the problem a “patient safety issue.”

MedStar officials denied that there were significant patient safety issues and a spokeswoman said that all MedStar facilities have “operated safely throughout the crisis.”

One nurse cited a specific example of patient safety, however, stating that an antibiotic with potentially severe side effects had not been stopped within the designated time because of the attack. A physician indicated that laboratory results crucial to determining the best means to treat infection and other conditions could not be quickly processed because of the systems shutdown.

This same physician criticized MedStar’s preparations for the cyberattack. In addition to the patient safety issues discussed, concern may be raised as to whether the attackers accessed identifiable patient information in the systems. If so, the HIPAA (Health Insurance Portability and Accountability Act of 1996) Security Rule, which requires technical and administrative (policy and procedure) safeguards for electronic patient information and training on those safeguards (which may include drills and exercises to prepare for cyberattacks) may be implicated.

If you have questions concerning regulations and laws related to cyberattacks and their impact on patient safety and privacy, please contact Kenneth N. Rashbaum.

Originally published in Privacy and Cyber Security on April 8, 2016 by Barton LLP