RSSAll Entries in the "Safety/security/facility" Category

Learning from a ransomware attack on your hospital

By Philip Betbeze

It’s breach season.

That’s what Ron Pelletier, founding partner of Pondurance, a cybersecurity company based in Indianapolis, calls February through April. Partly, that’s because it’s also tax season, when a lot of financial information is being sent and received via the internet. Bad actors often spend the latter part of the previous year “weaponizing” their tools and doing reconnaissance. Then they look for vulnerabilities.

For Hancock Health in Greenfield, Indiana, just outside Indianapolis, breach season started a little early. About 9:30 p.m. on the night of January 11, 2018, Steve Long, its president and CEO, got a call from the health system’s IT staff, telling him a computer in the lab was infected with ransomware. In an abundance of caution, the IT staff had turned everything off that was connected to the internet.

They were too late.

The attack from a criminal syndicate in Eastern Europe was initiated through the emergency backup facility used by the 71-staffed-bed hospital many miles away, and it had infected many, if not all its servers. The SamSam ransomware did not affect patient life-support systems.

Unlike ransomware programs that depend on phishing tactics to trick employees to open an infected email, the SamSam attack is more sophisticated. The criminals found a vulnerable port set up by one of the hospital’s vendors, then located a password to gain entry into the system, Long says. They infected data files associated with the hospitals’ most critical information systems.

“It was a port you had to log into but it was exposed to the internet,” Long says.

Long hopes by sharing his story that other healthcare organizations will avoid the disruptions that Hancock Regional experienced. He’s even written a publicly accessible blog about it.

From a forensics investigation done later, it appears the criminals made attempts at a “brute force” attack, in which they ran through tens of thousands of potential password combinations to gain entry.

“That did not work, but at some point, they found a login and password from a vendor who was working with our IT systems,” says Long. “We probably will never know exactly how they got a login and password. We’re told all the time we should be prepared for such things. We had hired a company that was supposed to track this, and had anti-malware and antivirus software we thought was good.”

In short, Long says, Hancock Health probably had a false sense of security about its network.

Long decided to pay the ransom price of four bitcoin, about $50,000 at the time, to begin the recovery process. After about 70 hours offline, and little sleep for the IT staff, communication systems were restored, network file servers were brought back online, and the electronic medical record system was restored.

Long and his staff emerged scarred, but smarter. He says other CEOs should learn at least four lessons from his headaches:

1. Remote Desktop Protocol ports need multifactor authentication

The vulnerability the criminals took advantage of at Hancock is a common port associated with Windows that has plenty of legitimate uses, says Pelletier, such as remote system maintenance, but ports like that are often exploited.

“With this particular port, if clients have a business case that it needs to be open we advise multifactor authentication, including a password, a biometric, and a PIN, randomly generated,” he says.

2. You’re more vulnerable than you think

“In terms of readiness, we had systems in place, had a company that was supposedly monitoring us, and we had cyberinsurance,” says Long.

Hancock didn’t use the cheapest vendors, but not the most expensive, either.

“When you’re the [CEO], IT is the thing you always feel like you put so much money into,” he says. “What we’ve also learned is you could have the best of everything, and you’re not 100% safe. There is a balance.”

3. It takes humans to counter humans

Software can’t fully do the job. It takes humans to offer a dynamic defense to the ingenuity of a hardworking criminal enterprise.

“A lot of organizations buy into what vendors say about their tool but there are vulnerabilities we don’t know about and someone might be harvesting that,” says Pelletier. “Bad actors leave evidence of their attempts that can show something is going on, but it takes a human to do the analysis.”

“In cyber terms, if you are targeted, then with enough time, effort, and resources, they will likely be successful, but It takes time and resources and money,” says Pelletier. “If you make yourself a hard target, they’ll move to someone else who is more vulnerable.”

4. Don’t underestimate the criminals

Cybercriminals carefully calibrate the ransom they ask for based on your organization’s ability to pay, Pelletier says.

“They want to get paid and that’s why the [ransom] dollar amounts, relatively speaking, are low,” Pelletier says.

He says you can restore from a backup rather than pay the ransom, but the likelihood of being able to recover completely may be questionable.

Adds Long: “They force you down a path. We needed to get up quickly, and we had some question about whether our backups were viable,” he says. “I agree with every reason not to pay, but until you are faced with the decision, it’s easy to say lots of things. For us it made the most sense to get the decryption keys.”

Long says such things can happen to anyone. You have to plan for the worst.

“I never imagined I would be sitting there on a Thursday night having shut down all our computers,” Long says. “We want others to learn from this and we believe we can be, for lack of a better word, a beacon.”

Check your State for deadlines on new hazardous waste pharmaceuticals rule

By A.J. Plunkett

Let your pharmacists and anyone else in your organization who handles hazardous waste pharmaceuticals know that flushing those drugs down a drain or toilet will be specifically prohibited as of August 2019. That is provided the EPA’s new final rule on the management of hazardous waste pharmaceuticals is published as planned on February 22 in the Federal Register.

The ban on sewering hazardous waste pharmaceuticals is “long overdue,” said Kristin Fitzgerald, with the EPA Office of Resource Conservation and Recovery on February 14 during the first of what could be several informational webinars the agency plans on the long-awaited rule.

Sewering “is a common practice in many healthcare facilities and it needs to stop,” said Fitzgerald, noting that the while the new prohibition applies only to hazardous waste drugs and only to those organizations covered under the new rule, the EPA strongly discourages the flushing of any pharmaceuticals by anyone anywhere.

While the final rule creating a new Subpart P to the federal Resource Conservation and Recovery Act (RCRA) does exempt controlled substances that are under the Drug Enforcement Administration’s jurisdiction from the new hazardous waste regulations, even those controlled drugs still are banned under the no-flushing rule. [more]

ER Doc: Protect Your Staff From Workplace Violence

By Christopher Cheney, HealthLeaders Media

Amy Costigan, MD, 
wants to be able to practice emergency medicine without being punched in the face.

Healthcare staff carry a heavy workplace violence burden, with about 74% of workplace assaults occurring in the healthcare setting. Workplace violence is prevalent in the emergency department—78% of emergency physicians have reported being targets of workplace violence in the prior 12 months.

Costigan wrote about her workplace violence experience in Annals of Emergency Medicine. She had lost a young woman in cardiac arrest, then went to a family room to inform the woman’s mother.

When she entered the room, the ER physician had a choice—sit in a chair near the door or sit on the couch next to the young woman’s mother. Costigan picked the couch.

After she shared the bad news, the enraged mom punched her in the face. [more]

Use TRAIN matrix to triage patients in mass evacuation

By  A.J. Plunkett (aplunkett@h3.group)

Modify the Triage by Resource Allocation for IN-patient (TRAIN) matrix to suit your facility’s needs in case of a mass evacuation.

Developed by the Lucile Packard Children’s Hospital at Stanford in Palo Alto, California, the matrix is combined with the hospital’s electronic medical records system to allow quick assessment of patients and the types of transportation needed to evacuate them to safety. The matrix is also available in PDF form online (see Resources).

“Caregivers have prompt access to a fully automated report that categorizes patients in terms of their specific needs, such as what types of intravenous medication they receive, whether they’re on ventilators or whether they need an intensive care unit bed,” according to the Stanford Medicine News Center in announcing the program in 2015.

Hospitals across California and other areas, including the Sharp Healthcare system in San Diego, have modified the matrix for use as part of their all-hazards preparation for emergencies, including wildfires (see p. 1).

According to a toolkit by Lucile Packard, the matrix allows a hospital to:

Be able to quickly assess and accurately request the right resources from the emergency operations center.

  • Streamline communication with a common code.
  • Implement a standardized and automated inpatient hospital evacuation triage system with minimal impact to workflow.
  • Increase awareness and disaster preparedness across the institution.

System is color-coded

“TRAIN helps determine what vehicles and equipment are necessary for continuous patient care during a crisis event and simplifies communicating patients’ needs to other hospitals or command centers coordinating transfers. For instance, TRAIN helps the hospital decide whether cars or vans are needed, how many ambulances or specialty transports are required and even how many IVs and ICU beds should be in place at the receiving facility,” according to the news center article.

“Under TRAIN, patients are assigned a color, with red designated for patients in critical condition. These patients need specialized transport, such as an ambulance or military vehicle, in addition to life-support equipment, such as ventilators and multiple intravenous drips for medication. TRAIN allows care teams to communicate the medical needs of this patient, as well as the severity of his or her condition, with a single word: red,” according to the news center. “In comparison, patients marked with blue tags are considered stable and can be transported in a car or bus, without any specialized equipment.”

The toolkit is available through HHS Assistant Secretary for Preparedness and Response’ Technical Resources, Assistance Center, and Information Exchange (ASPR-TRACIE) collection of evidence- and experience-based resources for emergency management. It is part of the Healthcare Facility Evacuation/Sheltering collection of resources.

Resources

Tapping Patient Engagement to Reduce Diagnostic Errors

By Christopher Cheney at HealthLeaders Media

Drawing information from patients can help boost understanding of why diagnostic errors happen and reduce the risk of future errors, research published this week says.

Diagnostic errors are a serious patient safety problem, impacting about 12 million adult outpatients each year and causing as many as 17% of adverse events for hospitalized patients.

“Health systems should develop and implement formal programs to collect patients’ experiences with the diagnostic process and use these data to promote an organizational culture that strives to reduce harm from diagnostic error,” researchers wrote in an article published today in the journal Health Affairs.

The research features an examination of 184 narratives from patients or family members about diagnostic errors collected in a new database maintained by the Empowered Patient Coalition.

The data provide unique and valuable insight into diagnostic errors, the researchers wrote.

“Patients’ reports of their experiences of diagnostic errors can provide information that traditional measurement mechanisms often fail to capture. Given the absence of diagnosis-specific experiences in most surveys and patient-reported outcomes, the only current way to capture patients’ experiences of diagnostic error is via patient complaints. However, complaints are often viewed as satisfaction matters rather than safety signals,” the researchers wrote.

Pain points

The Empowered Patient Coalition narratives identified four areas where poor clinician-patient relations contributed to diagnostic errors.

  • Patient knowledge was ignored in 92 of the narratives. Patients or family members said that clinicians ignored or disregarded reports of clinical indications such as symptoms and changes in patient status.
  • Disrespect of patients was considered a possible contributing factor in several diagnostic errors. Clinician disrespect of patients was reported in several forms such as belittling, mocking, and stereotyping.
  • Failure to communicate was another theme in the narratives, with clinician failings ranging from ineffective communication styles to refusal to talk with patients and family members. Examples of poor communication included unanswered phone calls and unresponsiveness to questions.
  • Manipulation or deception was reported in 15 of the narratives. This behavior fell into two categories: Clinicians using fear to influence care decisions or patients who were misled or misinformed.

Addressing the problem

To help reduce diagnostic errors, the Health Affairs researchers propose five methods to collect patient experience data and encourage better communication between clinicians and patients.

  • Creating new requirements for clinicians to conduct lifelong communication training. These requirements could include training to manage patient expectations through discourse.
  • Including communication skills, professionalism, and safety knowledge in certification and continuing medical education programs.
  • Health systems and providers should encourage patient engagement in safety through active and systematic collection of patient observations of clinician behaviors. These patient engagement efforts should be incorporated in mechanisms that are designed to change clinician behaviors.
  • Patient reports identifying clinician behaviors that pose a risk of diagnostic errors should result in interventions to foster patient-centered communication. These reports should be corroborated through the medical record or some other form of independent analysis.
  • Hospitals and health systems should include patient reports of diagnostic errors into training and patient safety programs.

A multi-pronged approach is needed to address aberrant clinician behaviors that lead to diagnostic errors, Traber Giardina, PhD, lead author of the Health Affairs research, told HealthLeaders today.

“We recommend health systems use a systematic method to collect patient reports of these types of behaviors. This would allow for these behaviors to be identified and monitored. A safety culture that encourages not just patients but also clinicians and staff to report these behaviors is needed. Additionally, we suggest reforms in medical education that highlight patient safety,” she said.

These efforts require walking a fine, said Giardina, a patient safety researcher at the Michael E. DeBakey VA Medical Center and assistant professor of medicine at Baylor College of Medicine, both in Houston.

“Fostering clinician accountability for the unprofessional behaviors experienced by the patients who reported diagnostic errors is sure to be challenging and will need to be balanced by the need to address pressures on clinicians that lead to burnout, which may even contribute to these behaviors. These at-risk behaviors that compromise patient safety must be addressed though. More policy priority to nurture the patient-physician relationship is long overdue.”

Joint Commission Unveils New Emergency Management Checklist

On October 10, Hurricane Michael made landfall in Florida, damaging at least two hospitals so badly they were forced to evacuate. On the same day, The Joint Commission (TJC) published a new Emergency Management Health Care Environment Checklist on its website, which helps healthcare organizations reopening their facilities after a disaster.

While the timing of these two events were coincidental, providers should to take time to go over the checklist and their emergency plans in general.

A TJC workgroup developed the checklist at the request of the U.S. Department of Health & Human Services’ Office of the Assistant Secretary for Preparedness and Response. It aligns with the accreditor’s Emergency Management standards, covers both clinical and environmental issues, and addresses crucial post-disaster elements that need addressing before reopening. It should be noted that the checklist isn’t hurricane-specific.

Jim Kendig, TJC’s field director of Life Safety Code surveyors, says it’s critical that hospitals customize the checklist for their needs by examining the relationships they establish in the community, and at the regional and state levels.

“For example, in Florida, a county Office of Emergency Management met with utilities and other emergency support functions to determine hospitals and PSAPS [public safety answering points] are the first to receive power restoration,” he says. “Establishing an unidentified victims process is also a good start, as it the ability to share that information within an hour of a disaster event.”

“The Joint Commission’s Emergency Management Committee continues meeting with organizations after disaster events to glean important information to share with the field through our Environment of Care News and ongoing communications,” he adds. “This also give us the opportunity to ensure that our standards and elements of performance are effective and contemporary.”

FDA warning on surgical fires

This summer, FDA issued an alert reminding healthcare professionals and facility staff of “factors that increase the risk of surgical fires on or near a patient.” The agency also recommended practices to reduce the occurrence of surgical fires, including “the safe use of medical devices and products commonly used during surgical procedures.”

The alert is targeted at healthcare professionals involved in surgical procedures—such as surgeons, surgical technicians, anesthesiologists, anesthesiologist assistants, certified registered nurse anesthetists, physician assistants, and nurses—and staff responsible for patient safety and risk management.

“Although surgical fires are preventable, the FDA continues to receive reports about these events,” read the alert. “Surgical fires can result in patient burns and other serious injuries, disfigurement, and death. Deaths are less common and are typically associated with fires occurring in a patient’s airway.”

This report comes 13 months after the FDA warned that certain lithium battery–powered medical carts had been overheating, igniting, smoking, burning, or exploding. In some cases, firefighters have had to bury medical carts to put out the flames.

When fires break out

ECRI Institute estimates that, based off the nonprofit research organization’s reporting data from Pennsylvania that has been scaled to encapsulate the entire country, there are between 90 and 100 surgical fires in the U.S. every year, down from 550–650 in 2007. ECRI Institute estimates that about 10%–15% of these surgical fires are major, leading to serious injuries or disfiguration.

In 2016, a man in Florida was getting a cyst removed from his forehead when a surgical tool caught cloth on fire during surgery, causing third-degree burns on his face, according to a news report. Another news report out of Chicago said that in 2012, a man having a catheter implanted in his chest suffered surgical fire burns so painful that he “prayed to God to just let me die.”

In rare cases, as the FDA noted, surgical fires can be fatal. For example, a 65-year-old woman undergoing surgery at an Illinois hospital in 2009 died six days after being burned during a “flash fire” in the OR.

It’s not just patients who can be harmed. Healthcare workers are also at danger of being injured when surgical fires occur. Plus, medical equipment and devices are at risk of damage, too.

Fire starters

“A surgical fire can occur when all elements of the fire triangle are present,” Scott Lucas, PhD, PE, director of ECRI Institute’s Accident and Forensic Investigation team, explained via email. Those three elements, he wrote, are a fuel, such as drapes, gauze, breathing tubes, or prepping agents; an oxidizer, such as oxygen or nitrous oxide; and an ignition source, such as a laser or electro-surgical pencil.

“Procedures involving the face, head, neck and upper chest (above the xiphoid) are of the greatest risk, particularly in the presence of supplement oxygen,” Lucas wrote in the email.

Lucas also noted that more than 70% of surgical fires involve oxygen enrichment, which OSHA defines as any atmosphere that contains more than 22% oxygen. He added that “alcohol-based prepping agents also pose a high risk of fire if the agent has not dried prior to beginning the procedure.” The recommended drying time for prepping agents should be listed in product instructions, Lucas wrote.

In its alert, the FDA wrote that it “reviews product labeling for drugs and devices that are components of the fire triangle to ensure the appropriate warnings about the risk of fire are included.”