WICHITA, Kansas — For three weeks, nurses taking care of sick and preterm babies at Ascension Via Christi St. Joseph in Wichita — locked out of a computer system that reduces medication errors — have resorted to hand-verifying that their vulnerable patients are receiving the right amounts of the right drugs.
“It’s kind of a precarious situation,” said Marvin Ruckle, a longtime neonatal intensive care nurse at the Wichita hospital and a member of the nurse’s union.
“A baby could be dosed wrong — and there could be a (bad) outcome from that, because babies get very small doses of medication.”
It’s one of the many consequences of an expansive cyberattack that hit the hospital’s nonprofit owner earlier this month. Ascension, which operates hospitals, clinics and nursing homes in Kansas and over a dozen other states, took many electronic systems offline when it discovered “unauthorized access” on its network on May 8.
After initially diverting patients from some of its emergency rooms and postponing some elective surgeries, the hospital chain now says all care sites in Kansas are open and operational. In an update posted to its website Wednesday evening, Ascension said it is working “around the clock” to fully restore its network and has begun to bring electronic health record access back online in some areas.
“Please know our hospitals and facilities remain open and are providing safe care,” the update said.
But Ascension nurses in Kansas say many of the electronic systems they rely on to care for critically ill patients are still inaccessible — and they’re increasingly worried it could result in dangerous errors that harm patients.
“We are put in a situation where the double checks are gone,” said Lisa Watson, a medical ICU nurse at Ascension Via Christi St. Francis in Wichita. “This is a recipe for disaster.”
Watson, who is a member of her union’s bargaining team, said it’s harder to determine the most basic of facts, like whether a patient is allergic to a given medication. She said she now has to call around to multiple departments — emergency room, pharmacy, lab — to find out information that would ordinarily automatically populate in a patient’s chart.
Recently, she said, the wrong paperwork accompanied a newly admitted patient — paperwork for a different patient with the same first name.
“There are just a lot of ways,” she said, “that mistakes can be made.”
An Ascension spokesperson declined to comment on the nurses’ statements. In its latest update, the organization said it sends “a sincere note of gratitude to our dedicated clinicians who are providing care under challenging circumstances.”
Nurses say low staffing worsens crisis
Watson, Ruckle and other nurses in their union are urging Ascension — which, they say, has long operated with bare-minimum staffing levels — to increase staffing to help account for the extra work required while network access is down.
They said the paper charting is even more time-consuming than it was back before hospitals went digital because they now are short of infrastructure — carbon copy forms and fax machines — that once aided it. Younger nurses without experience with analog processes often need extra guidance.
“We have all of these extra tasks, and we’re asking for help, and we’re not getting it,” Watson said.
“I am concerned about my license,” she added. “I’m more concerned about hurting somebody — because, licensed or not, I have to live with that for the rest of my life.”
In recent weeks, Ruckle said he told his supervisor he felt staffing levels were dangerously low, but was told levels could not be increased because there were not enough nurses willing to take on extra shifts.
The Wichita nurses, represented by National Nurses Organizing Committee/National Nurses United, said Ascension has not responded to a petition they delivered last week requesting that hospital executives reinstate a bonus program that would incentivize nurses to pick up extra shifts. The program ended, the nurses say, after they ratified their first union contract in April.
Both Watson and Ruckle said they’re not aware of any adverse patient outcomes tied to the cyberattack. But they said the risk of dangerous mistakes mounts as the days go by.
That takes a direct toll on nurses, according to Ruckle.
“Nurses go home after every shift, stressing — did I check everything? Did I do everything right?”
Attack linked to prolific cybercrime group
Ascension has not said who was behind the attack, but experts think a cybercriminal group called Black Basta is at least partially responsible. Hackers using Black Basta’s ransomware technology have attacked over 500 organizations in the last two years, according to a joint advisory released by four federal agencies earlier this month.
Typically, attackers will gain access to an organization’s network through phishing or other means — and then use a “double-extortion model,” stealing data and locking the organization out of it. An organization might be given 10 or 12 days to pay a ransom before its sensitive data is published.
“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts for patient care disruptions,” the advisory said.
Cybersecurity experts say the Ascension attack is particularly severe because of the organization’s large reach. The nonprofit owns around 140 hospitals in 19 states in addition to numerous outpatient clinics and nursing homes.
“The combination of various health care institutions into a single body was perhaps one of the reasons why it was such an attractive target,” Jack Danahy with the cybersecurity firm NuHarbor Security said, “because so many hospitals and so many patients were affected.”
It’s unclear whether Ascension paid a ransom to attackers. Danahy said many experts assume the organization has not, due to the time it is taking to reinstate systems.
Was patient data stolen?
Ascension has not yet said whether hackers stole patients’ medical records, payment information or other data. Patients in several states have already filed lawsuits over the attack, alleging Ascension did not do enough to protect their data.
Danahy said he is not aware of any Ascension patient data published on the dark web so far.
Past Black Basta attacks, including against the American Dental Association, have led to the leak of private health information and Social Security numbers. Other breaches have led to the release of cancer survivors’ sensitive photos and K-12 students’ psychological records.
Most data breach victims are offered free credit monitoring services, but Danahy said little is often done to compensate the victims of medical data breaches whose intimate information becomes public.
“I don’t know if there is recompense for your most private information being released,” he said. “I don’t think the law necessarily contemplated it — nor did they contemplate where the responsibility should lie.”
It might be difficult for those suing Ascension to prevail in court, Danahy said, because there’s little regulation around how diligently organizations must protect people’s data. He said the size of the Ascension attack could motivate regulators to better define security standards in the future.
“This may be one of those (defining events) that causes us all to reconsider: Should we be defining what sufficient protection is so that we actually can have some recourse in the event that people don’t meet that standard?
“I think the first decision that we have to make, as a community, is that we do value that private information,” he said, “and we do value organizations that protect it well.”
Rose Conlon reports on health for KMUW and the Kansas News Service.
The Kansas News Service is a collaboration of KCUR, KMUW, Kansas Public Radio and High Plains Public Radio focused on health, the social determinants of health and their connection to public policy.
Kansas News Service stories and photos may be republished by news media at no cost with proper attribution and a link to ksnewsservice.org.