Staff at Erie County Medical Center have scrubbed thousands of hard drives and turned to paper records to chart patient information in an all-hands-on-deck response to a software virus that forced the hospital to shut down its information system on April 9.
"It has been a huge task. We're rebuilding the entire computer system," said Peter Cutler, vice president of communications and external affairs.
Email, lab reports and registration remained among computer functions still disabled Monday as ECMC methodically made repairs to its network. The hospital has also continued to reschedule some elective surgeries.
It's unclear when conditions will return to business as usual.
Cutler said the hospital is continuing to investigate what happened, and wants to be clear and comfortable with the facts before talking publicly about it. He said no payment had been made in connection with the incident.
The hospital has worked for more than a week to resolve the challenging problems. The Kaleida Health and the Catholic Health hospital systems shared information system specialists to assist. Cutler said the hospital also has received help from others, including Meditech, the manufacturer of the hospital's electronic health record software; GreyCastle Security, which provides cybersecurity services; and software giant Microsoft.
"There are a lot of players involved in helping us get things back to normal," he said.
State Police and the FBI have aided hospital staff in the investigation, The News reported last week.
Hospital officials continued to decline to confirm the attack as ransomware, in which perpetrators lock a computer system with a virus until a ransom is paid.
Hospital officials said there is no indication that confidential patient information was compromised, or that hospital data was lost.
IT specialists at the hospital have scrubbed 6,000 hard drives and have begun to return computers to work areas that can be used to view historical patient information prior to April 9. However, the restored computers require a password and, for the time being, ECMC is limiting the passwords to designated staff members as it painstakingly brings the entire network back online.
The hospital has turned to old-school paper to chart patient information since the attack, but the written information will have to be transferred eventually into the electronic health record.
"People are adapting and making things work," Cutler said.
The loss of the computer network has forced ECMC to reschedule some elective surgeries, with priority being given to critical cases.
The hospital still has no timetable for when it could return to business as usual. “It’s as soon as possible. This is not a precise science. You have to work in stages,” Cutler said.
Ransomware is becoming more common, and health care institutions are a primary target. In the world of data breaches, health care organizations will be the most targeted business sector, according to a recent report by the credit reporting firm Experian.
"Of the many threats health care organizations face, we predict that ransomware will continue to be a top concern in 2017, particularly because a disruption of health care system operations could be catastrophic," the report concluded.
Hospitals and health plans experienced nearly 1,800 incidences of large data breaches in patient information from October 2009 to December 2016, according to a study published this month in JAMA Internal Medicine.
Health care organizations covered by the Health Insurance Portability and Accountability Act, or HIPPA, are required by law to report data breaches affecting 500 or more patients within 60 days to the Department of Health and Human Services.