John Gaede, director of information systems, Sky Lakes Medical Center, Oregon, discusses how the hospitals IT team overcame a ransomware attack in 2020 during the height of COVID that took down their entire network.
Gaede shares how his team and partner vendors sprung in action, working around the clock to trying to remedy the situation. Sky Lakes is located north of the Oregon-California state border and is the sole hospital in a 10,000 square mile radius in a very rural, isolated area of Oregon.
He said the hackers were able to access the hospital system using a phishing email on a Monday morning in October 2020 that offered a bonus for employees. When an employee clicked an attachment in the email, malware immediately started propagating through the hospital’s IT systems. A nurse called the IT department around 1:30 a.m. to report the electronic medical record system was extremely slow. The IT department called in engineers to figure out the issue soon after and they determined by 5 a.m. they had a ransomware attack. Gaede said they determined the ransomware encryption started on their systems around 11 p.m. Monday evening.
“Ultimately, it took us about seven months as an organization to full recover and bring everything back online,” Gaede explained. “At first we had every system in our hospital offline. All financial systems, supply chain system, electric medical record (EMR), all of diagnostic imaging, all of cardiology, all of the laboratory systems. This was also in October 2020, which was the start of the first wave of the pandemic for us. So we were dealing with all the unknowns of COVID as patients started coming in and at the same time they lost all their tools for taking care of patients.”
In radiology, they were able to continue to run all of the modalities, but they had to have biomed engineers and the imaging system vendors to first verify the imaging systems were not compromised in the attack. Because they lost access to PACS, radiologists were unable to read images remotely, so had to be at the hospital. In addition, they could only read the studies on the each of the imaging systems’ because they could not access the images at any workstations. Storage on the imaging systems themselves is also limited, so the attack required radiology to burn the images from each exam onto CDs for storage to open enough room own the scanners to perform more imaging exams.
“It became really, really complicated and concerns around patient safety began to arise,” Gaede said.
Several days into the attack on a Saturday, he called a vice president at M-Model/3M, which provided the hospitals radiology reporting software, and asked for any help they could give. “I told them about our situation and that was when you really find out the true about humanity, and they stepped up and the partnership came in,” Gaede explained.
While the reporting side of radiology was quickly restored, PACS was another story. He said their PACS vendor said out would take at least three months to restore the PACS. “We knew there was no way we could provide for our community, and that is significant at out location in Sky Lakes because we are a very rural community and you have to drive about 100 miles away in any direction, you have to go over mountain passes, and we were approaching wintertime,” he said.
Looking for a more immediate solution, Gaede asked a long-time friend who had been involved in diagnostic imaging and asked who the top PACS vendors were so he could start making phone calls. He was given the names of two vendors, whom he called on a Friday to see if they could assemble a plan to help them get back online as soon as possible.
“I reached out to them on a Friday and asked them to come up with a plan to help us get up and running as soon as possible. On Monday, I met with our seniors radiologist management team and we selected Sectra PACS. We verbally said to them let’s do this and had not signed any contracts, and we kicked the project off Monday evening. Sectra stood up and within two days had a complete infrastructure built in Amazon for us, and by Friday our radiologists were reading studies on an iPad. On Saturday, we had a fully integrated RIS (radiology information system) from a Sectra partner vendor Abbadox, and we up and running with the new Sectra PACS and with the M-Model reporting system.”
Gaede said their radiology hardware and software system integration vendor Electromek also provided rapid response to make all the integrations work smoothly.
It would take another 23 days to get the hospital EMR back online. He said the radiologists had full access and integration with the EMR and Epic Radiant the next day.
Taking stock of damage to radiology caused by the cyberattack
Skylakes Medical Center had about 1.5 million images archived and it adds about 100,000 new images per each year. There was a major concern all of this imaging data was lost.
“The ransomeware completely encrypted every Windows-based system in our hospital, including our PACS. And I want to tell you how powerful it is for the simple act of walking up to a server and pushing the power button to power it off. That action was taken by one of our engineers after we decided to shut everything down before we had more lateral movement in our environment. Out of 1.5 million images, that action helped save most of it and we only lost 140 images,” Gaede explained. “It started out to be about 700 images we lost, but between the archive and various backups, we were able to put the pieces things together and it ended up only being 140.”
Gaede said they got very lucky, because after reviewing all of the 140 exams that were lost, it was found they were all older images that were no longer clinically relevant.
“We have a mission statement at Skylakes that we saves lives and innovate, in that order, and this experience truly brought that mission together. And we could not have done it without partners like Electromek, M-Model and Sectra.”