Hacked, Shut Down, But Still Seeing Patients: U. of Vermont Medical Center Shares Strategies

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA)

Report on Patient Privacy 22, no. 6 (June, 2022)

Sometimes numbers tell the most compelling story. So, here are some associated with a cyberattack the University of Vermont Medical (UVM) Center suffered in October 2020 (and, yes, during the pandemic):

  • 28 days—how long UVM’s systems were “off-line.”

  • 1,300—the number of servers that had to be cleaned of malware.

  • 5,000—the number of “end user” devices, including laptops, that also had to be wiped.

  • $50 million—the estimated cost of the attack, attributed mostly to lost patient revenue.

  • $0—the amount UVM paid the hackers.

While the outlines of what UVM, part of a network of six hospitals, experienced have been reported, two medical center officials who helmed mitigation and recovery efforts recently shared details previously not public, with the goal of helping other organizations that might find themselves in similar dire straits. They also offered specific lessons they learned.[1]

The two UVM leaders—Steven Leffler, chief operating officer, and Douglas Gentile, senior vice president for information technology (IT) at the University of Vermont Health Network, discussed their insights with John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association, as part of a series of podcasts Riggi conducts to offer a “frontline perspective.”[2]

Both former emergency medicine physicians, Leffler and Gentile described the separate but related effects of the attack on clinical care and on IT, as well as how they decided to split the command structure to more efficiently address significant tasks.

UVM followed “downtime procedures” that had been practiced, but the drills were predicated on systems being crippled for 12 hours, at most. And, despite the passage of time from the attack, Leffler and Gentile still speak with awe about how one of the first issues they had to face was teaching some doctors how to function in a paper-based world.

“Many of our residents and young physicians had never written paper orders. They’d never written paper notes,” so members of the IT team had to work with them, Gentile said. Added Leffler, “On the first day we were down, I was rounding and the chairman of pediatrics was teaching his interns how to do paper admission orders, literally on the board. They had never done it.”

[View source.]

Written by:

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide