Last year, my healthcare system was struck by a cyberattack. Overnight, our electronic systems were down and we lost access to all of our usual digital tools—no electronic health record (EHR) access, no online prescribing, no ability to order lab tests or diagnostic imaging studies electronically. Meanwhile, our waiting room was full and our schedules were packed with back-to-back appointments. The ransomware downtime lasted five weeks and navigating it was one of the most chaotic and challenging experiences of my career.
Cyberattacks targeting healthcare organizations are rising rapidly. Reports show that ransomware attacks on healthcare systems have more than doubled in recent years—from 43 in 2016 to 91 in 2021. In 2023 alone, 46 hospital systems across the United States—encompassing 141 hospitals—were affected by ransomware attacks. A sharp increase from 25 systems in 2022.
These aren’t just numbers; cybercrime affects real patients in profound ways. It delays care, diverts ambulances, and cancels surgical cases. Patients’ personal data can also be leaked, which many of my patients worried about during our system’s cyberattack.
There are several reasons why healthcare systems are particularly attractive to cybercriminals:
Follow the Money: The average cost of a healthcare data breach in the U.S. is around $15 million, significantly higher than the typical $8.19 million for other types of data breaches.
Industry Consolidation: Many healthcare systems are not adequately prepared for such attacks. Over-consolidation in the industry means that breaching one system could expose millions of patients' information.
Preparedness: The frequency of software updates and audit practices can impact how well a system withstands cyberattacks. Regular updates and thorough audits are crucial for maintaining security.
Based on my experiences of working through a cyberattack, I’ve developed a list of practical strategies for clinicians to manage these situations in real time in the clinic setting.
1. Brace for a Tough Start
The first day without an EHR is the hardest. Even if subsequent days are objectively busier, the first day without any digital tools or databases will leave you feeling shell shocked. The sheer volume of missing information—past blood pressures, lab results, current medication lists—can be overwhelming. Expect the initial day to be brutal, but know it will get easier as you adapt to the new normal.
2. Be Selective with Your Schedule
If you have access to your schedule, review it with a critical eye in the early days. Prioritize appointments based on urgency. Patients with pressing needs should be seen promptly, of course, while routine check-ups in healthy patients can be rescheduled to give yourself more breathing room. I found that most clinical tasks and processes took me three times longer than usual, so any extra time in my schedule was a welcome gift.
3. Embrace New Systems
All the normal systems you’ve grown to know and love will need to go on hiatus for a while, like pre-charting or e-prescribing. Dust off the old paper prescription pads, and if possible, get paper-based order forms for labs and imaging.
Be resourceful in tracking down patient information that will help you provide the best care to your patients. If I knew that my patient had seen a specialist in my area in a different health care system, I asked my patient’s permission to reach out to this specialist for their recent notes. If your region has a central health portal or information exchange (like this one in my home state of Maryland), you can use it to track down necessary patient information.
Develop new paper templates for patient messages and phone calls, and create new electronic templates for clinic notes, capturing as much coding and billing information as possible in real time.
4. Manage Paper Overload
The sheer amount of paper all around you can quickly become overwhelming. Every surface in my office was covered in paper, which added to my feelings of stress (I love a clean, clutter-free desk any day of the week!). I learned quickly to organize my piles and piles of paperwork, developing my own system for finding important information when I needed it.
As a clinic, we created a new filing system for all patient visit and phone encounter paperwork to keep track of everything. This helped prevent important information from getting lost in the chaos.
5. Cover Your Bases
In the absence of electronic resources, it's crucial to document all your decisions and keep your records in a HIPAA-compliant manner. Work with your clinic leadership to learn the best way to protect yourself and the decisions you make during this time of no EHR access. In your notes, document any information you lacked in real time due to the EHR being unavailable.
Patients will inevitably have questions about the situation. Your healthcare system will likely provide you with talking points, and you can direct your patients to official resources or websites for accurate information.
To be honest, I was so busy managing my patients’ clinical needs that I didn’t have time for in-depth conversations about what was happening at the system level. Instead, I pointed my patients to the appropriate website where they could find more information.
The best way to handle a cyberattack is to prevent it from happening in the first place. Here are some proactive measures we can all consider:
Personal Habits
When it comes to personal email use, it’s always good to avoid clicking on links from unfamiliar sources. And while none of us has a moment to spare in our normal workdays, it’s not a bad idea to familiarize yourself with your EHR’s downtime protocols and ensure you have a workable template for notes if it should crash or become unavailable.
Fire Drills
Some healthcare systems conduct EHR downtime "fire drills" to test their preparedness in less stressful conditions. If your system doesn’t, consider advocating for these drills to identify and address potential pain points.
Regular Updates
Ask your leadership to ensure that your system’s software is up to date and conduct regular audits to reinforce security measures.
Those five weeks that my colleagues and I went without our EHR were undeniably difficult. Cybercrime is likely here to stay, but with preparation and the right mindset, we can navigate even the most challenging circumstances.