Hospitals throughout MedStar Health’s network continued to face problems with their online systems Wednesday, two days after a cyberattack crippled the health-care giant’s email and patient records databases.
“Our electronic medical records system is working,” spokeswoman Ann Nickels said. “Individual work stations may not be working.”
MedStar also issued a statement Wednesday saying that “the three main clinical information systems supporting patient care are moving to full restoration, and enhanced functionality continues to be added to other systems.”
But what systems worked and where varied, according to staffers reached by The Washington Post.
“In the inpatient units that I’m aware of, everything is off. The computers are off,” said Stephen Frum, a labor representative for National Nurses United who has worked closely with MedStar for 15 years. “The system may be working, but if no one can access it, what use is that?”
The $5 billion health-care provider, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, has contended with the crisis since early Monday, frustrating patients and staff members, some of whom asserted that the problems have been worse than MedStar has acknowledged.
On Wednesday morning, The Post surveyed emergency departments at nine MedStar hospitals, and staff members at four of them — including Georgetown University Hospital and Good Samaritan Hospital in Baltimore — said their computers remained offline. Staffers at two hospitals declined to comment on the state of their computer systems. The rest indicated that some systems and computers were working.
A psychologist who works in an outpatient medical center in the District said staffers in her office were able to access the primary medical records database but still had to fax prescriptions.
At MedStar Washington Hospital Center, an emergency-room nurse said that by Wednesday afternoon, her department was “almost fully functional” but that other floors “still have no access to any systems.”
Still, MedStar officials said they had “continued to provide care approximating our normal volume levels,” according to a news release Wednesday afternoon. MedStar officials estimated that the system’s medical personnel had seen more than 6,000 patients and performed 782 surgeries since Monday.
Officials in the hospital network have refused to characterize Monday’s cyberattack as “ransomware,” a virus that holds systems hostage until victims pay for a key to regain access. But a number of employees reported seeing a pop-up on their computer screens seeking payment in bitcoins, an Internet currency. One woman who works at MedStar Southern Maryland Hospital Center sent The Post an image of the ransom note, which demanded that the organization pay 45 bitcoins — equivalent to about $19,000 — in exchange for a digital key that would release the inaccessible data.
“You just have 10 days to send us the Bitcoin,” the note read. “After 10 days we will remove your private key and it’s impossible to recover your files.”
The cyberattack is being investigated by the FBI just weeks after similar episodes at hospitals in Kentucky and California.
The health-care industry is considered particularly vulnerable to ransomware attacks, but such incursions are on the rise everywhere as more victims pay. In a nine-month period in 2014, the FBI investigated 1,838 complaints of such attacks, which cost those targeted more than $23.7 million. In 2015, agents investigated 2,453 complaints in attacks that cost targets $24.1 million.
On Tuesday, Nickels said that MedStar’s facilities, which stretch between Arlington and Baltimore, have operated safely throughout the crisis.
But some patients’ appointments were cancelled Monday and Tuesday, and two nurses and a doctor described serious challenges treating patients without having access to sophisticated computer systems and records.
Medical staffers turned to seldom-used paper records that had to be faxed or hand-delivered. Paper charts are far less comprehensive than digital records. They can be missing vital pieces of patient information such as medical histories, drugs prescribed, allergies to medicines and treatment plans.
“It’s really a very difficult situation to deal with,” said a doctor who works for MedStar at a District location. “It’s a serious warning to other health-care systems.”