The case of the first ransomware death has been reported and it raises serious questions. Why were patients still being admitted to Springhill Medical Center in Alabama nearly eight days after computers were disabled on every floor and the nurses’ stations were cut off from key patient monitoring? A wireless tracker used to locate medical staff was also down. Electronic medical records were inaccessible. Yet patients weren’t told about this cyber-crisis and they weren’t given the option to be transferred to another hospital. In fact, for over a week, even laboring women continued to be admitted to this hospital day after day, without any knowledge that the hospital’s ability to function was severely crippled.
Wasn’t it reasonably foreseeable that computer outages from a cyberattack could cause health care providers to miss critical readouts on fetal heart monitoring equipment? The very purpose of this monitoring equipment is to alert staff when the unborn child is in severe distress and requires an immediate emergency delivery.
The stage was set for disaster when pregnant Teiranni Kidd was admitted to this facility to deliver her baby. Unfortunately, the umbilical cord became wrapped around her unborn child’s neck, cutting off the blood flow and oxygen to her brain. Absent a hack, this is the very type of condition that should have triggered alarms on the heart monitor and resulted in an emergency C-section. During the ransom attack, this child’s severe distress apparently slipped through the cracks and no doctor was summoned until it was too late. The next day, a text from the attending obstetrician to the nurse manager questioned why the doctor was never notified of the fetal distress so she could emergently deliver the baby. After an hour-long delay in delivery, the child was born profoundly brain injured, and she died months later.
A lawsuit is pending. The Wall Street Journal reports that in a court filing, the hospital argues that it had no obligation to inform the pregnant Ms. Kidd about the cyberattack and that it was appropriate to continue to admit patients during the hack. Really?
With increasing frequency, cyber-meltdowns are crippling our nation’s hospitals. While this may have been the first reported ransomware death reported, it won’t be the last. Standards must be set as to under what circumstances patients should be informed of a cyberattack, and when the hospital’s census should be reduced until necessary equipment and digital records can be restored. If not now, when? #healthcare #cyber #ransomware