HospitalInspections.org

30170

Based on interview, record review, and policy review, the provider failed to ensure:
*Immediate cyber security training for all staff for an identified June 4, 2019 encryption virus that affected ninety-five percent (%) of the hospital computers.
*Policies and procedures were revised and updated to meet the requirements of Emergency Preparedness (EP) for their facility that identified internal and external risks.
*A comprehensive EP program was developed and implemented that included internal and external risks identified in the facility risk assessment on 7/18/18.
Findings include:

1. Interview on 7/8/19 at 9:20 a.m. with chief executive officer (CEO) A regarding the encryption virus called Ruyk that had been identified on June 4, 2019 revealed:
*Security Metrics was in the facility two weeks ago to complete a forensic investigation of the encryption virus.
*Security Metrics would be submitting a report seven to ten days prior to the sixty day deadline. The CEO indicated the report would be available the first part of August.
*There was no data breach identified, just malwear.
*They identified the issue on June 4, 2019 when staff could not log on to their computers.
*After investigation there had been a phishing email suspected of causing the encryption virus. Ninety-five % of the provider's computers had been affected.
*All the provider's files were encrypted.
*The electronic medical records were not affected.
*The Internet was shut down for two weeks.
*The staff were given laptops to access and document patient care information using hotspots.
*No protected patient information had been breached.

A meeting with management staff and information technology (IT) manager B attended by the surveyors on 7/9/19 at 10:00 a.m. revealed:
*There were continued issues identified with the computers:
*Problems accessing the Internet. The IT manager had reset the domain server.
*Shortcuts were not working on staff computers.
*The provider was ordering new hard drives.
*The staff were having continued problems logging in. A rebooting of the facility's firewall was required to resolve the issue.
*Recovery of information would only go back three years when they had started using Athena.
*From the surveyors perspective there had been a lack of communication to staff regarding computer issues resulting from the encryption virus.

Interview on 7/8/19 at 10:25 a.m. with CEO A, chief operating officer (COO) F, and IT manager B regarding the encryption virus revealed:
*There was confusion on June 4, 2019.
*IT manager B took the Internet down and opened up the public WIFI, so staff could use Athena on laptops provided to staff.
*Any information in draft policy was deleted.
*They notified their insurance company and facility attorney.
*Three current employees had received two different phishing emails.
*There was no formal facility wide education provided to all staff including contract physicians regarding phishing emails and cyber security.
*The management team was meeting daily to discuss computer issues. The meeting minutes were handwritten notes by the CEO. There was no formal electronic communication given to all staff regarding updates and issues that had been discussed in those daily meetings.

Review of the provider's 7/18/18 Threat/Hazards Ratings document revealed cyber security had a rating of four out of a one to four rating and four was the highest threat.

Review of the provider's 11/26/18 Information Security Policy revealed:
*The policy should have been adhered to by all facility employees or temporary workers at all locations and by contractors working with the facility as subcontractors.
*The policy defined common security requirements for all facility personnel and systems that create, maintain, store, access, process, or transmit information.
*The first line of defense in data security was the individual facility user. Facility users were responsible for the security of all data that might come to them in whatever format. The facility was responsible for maintaining ongoing training programs to inform all users of those requirements.
*It was the responsibility of the compliance team to provide training on any procedural changes that might have been required as a result of the investigation of an incident.
*There was no relevant information on cyber security.

Interview on 7/8/19 at 11:10 a.m. with IT manager B regarding the identified encryption virus revealed:
*All staff currently have email.
*The staff would only have been able to get to Internet sites that had been approved by the hospital management.
*There had been no restrictions for staff email attachment emails prior to the phishing email.
*Currently identified questionable emails went into a file and were checked by IT.
*There had been education provided to the suspected employee but not the other two employees involved in the phishing email.
*They had not fully identified where the malwear was initiated.
*There was no formal documented training of all staff.

Interview on 7/8/19 at 2:25 p.m. with IT manager B and health information manager G regarding cyber security revealed:
*The encryption virus was identified on June 4, 2019.
*There had been fifteen patient files encrypted three years ago, but those files were restored. They identified a staff member had been on the Internet and clicked on "something they should not have."
*There was no documentation of the above past incident.
*She was also unaware if all the staff were aware of the past incident.
*The Information Security policy previously described above was issued in November 2018.
*The decision should have been made by the compliance team to communicate that policy to all staff.
*There had been an all staff meeting approximately three months ago, but the Information Security policy had not been discussed.
*The current firewall in place would prevent staff from accessing unauthorized Internet sites.
*They were estimating by the end of August 2019 cyber security measures would have been in place.

Interview on 7/8/19 at 3:28 p.m. with chief nursing officer (CNO) D regarding staff training for cyber security revealed:
*She remembered the risk assessment but was unsure of the results.
*All policies were available on line to staff.
*She was unsure if there had been an email sent to all staff regarding the new Information Security policy; she had not sent an email to staff.
*Notification of new facility policies would become the department manager's responsibility.
*She would have brought a new policy to an all staff meeting and had employees sign off on the new policy.
*There was no formal documentation all staff had been made aware of the Information Security policy.

2. Continued interview with CNO D regarding EP revealed:
*The safety committee should have had meeting minutes related to EP.
*Some of the nursing staff had attended a community based immunization clinic. However, the community based training exercise was not a test for the hospital's EP plan.
*There had been no recent facility training for EP.
*There had been no full-scale community based drill exercises for EP.

Interview on 7/9/19 at 9:15 a.m. with CEO A regarding facility cyber security revealed:
*There had been no cyber security training completed for all staff since the identification of the encryption virus on June 4, 2019.
*He was unaware of the previous cyber security breach that had occurred approximately three years ago.
*None of the current hospital employees were being tested on cyber security. It had been discussed and was on ITs current list of things to complete.
*Training on the November 2018 Information Security policy had not been completed.
*Tightened electronic security measures had been put in place instead of training all employees on cyber security.

Review of the provider's expired 6/30/14 Hospital Disaster Plan revealed:
*The purpose of the policy was for both external and internal disaster situations that might affect hospital staff, patients, visitors, and the community.
*Identify responsibilities of individuals and departments in the event of a disaster situation.
*There was a clear delineation of roles and responsibilities for staff defined in the policy.
*The policy had been created on 10/18/13 and had expired on 6/30/14.
*There had been no further revisions or updates to the policy since the approval date of 10/18/13.

Review of the provider's 7/18/18 Threat/Hazard Ratings document revealed:
*External threats/hazards were as follows:
-Thunderstorm (lightening) was rated a three out a one to four rating. Four was the highest probability threat.
-Hail ,extreme cold, and snow fall/blizzard were rated moderate at 1.1 to 1.5.

3. Interview on 7/9/19 at 9:15 a.m. with CEO A regarding the facility emergency preparedness plan revealed:
*He would not agree there was no EP plan, but there was a policy that needed improvements.
*One of the areas identified on the mock survey completed in April 2019 was EP.
*There was an outdated 6/30/14 EP plan from 2008 for the hospital.
*The EP plan was outdated and was not current with the new federal regulations.
*The outdated 6/30/14 Disaster policy was identified as needing revisions during the mock survey completed in April 2019.