The information below comes from the statement of deficiencies compiled by health inspectors and provided to AHCJ by the Centers for Medicare and Medicaid Services. It does not include the steps the hospital plans to take to fix the problem, known as a plan of correction. For that information, you should contact the hospital, your state health department or CMS. Accessing the document may require you to file a Freedom of Information Request. Information on doing so is available here.

DESERT VALLEY HOSPITAL 16850 BEAR VALLEY RD VICTORVILLE, CA 92395 April 29, 2016
VIOLATION: ORDERS DATED AND SIGNED Tag No: A0454
Based on interview and record review, the hospital failed to ensure the physician orders were authenticated (verified/signed by the prescriber) per the hospital medical staff bylaws for 2 of 30 sampled patients (Patients 2 and 28). This failure resulted in incomplete medical records.

Findings:

1. During a review of the clinical record for Patient 2, the "History and Physical" dated April 24, 2016, indicated Patient 2 was admitted with a chief complaint of a hip fracture.

Further review of the clinical record indicated the physician ordered a blood culture and packed cells (are red blood cells, that have been collected, processed, and stored in bags and are available for blood transfusion) on April 20, 2016 via a telephone order. The order was not signed by the physician until April 26, 2016, a total of (6) six days after the order.

During an interview with Registered Nurse 1 (RN 1), on April 26, 2016 at 11:47 AM, RN 1 stated physician had not signed the blood culture or the packed cells order. RN 1 stated physician orders must be signed within 48 hours of ordering.

The facility medical staff bylaws indicated "3.0 Orders ...3.1-2 Verbal/Telephone orders shall be written on the Physician Order Sheet and signed by the person to whom dictated and shall be followed by the name of the practitioner dictating the order and shall be authenticated by the practitioner within forty-eight (48) hours."






2. A review of Patient 28's computer electronic medical record (CEMR) showed the patient was admitted to the hospital on April 8, 2016 with diagnoses that included Sepsis (a serious infection in the blood).

A review of the Physician's Orders showed a telephone order for Zofran (for nausea and vomiting) dated April 24, 2016 and signed by the nurse as receiving the telephone order.

As of April 27, 2016 the telephone order had not been signed by the physician (more than 48 hours after the order was received.

In an interview with RN 1 on April 27, 2016 at

The facility medical staff bylaws indicated, "3.0 Orders ...3.1-2 Verbal/Telephone orders shall be written on the Physician Order Sheet and signed by the person to whom dictated and shall be followed by the name of the practitioner dictating the order and shall be authenticated by the practitioner within forty-eight (48) hours."
VIOLATION: CONTENT OF RECORD Tag No: A0458
Based on interview and record review, the hospital failed to ensure the history and physical examination (H&P) report was completed, as per the hospital medical staff bylaws for 1 of 30 sampled patients (Patient 2). This failure had the potential to affect Patient 2's planned course of treatment and the continuity of care.

Findings:

During a review of Patient 2's medical record on April 26, 2016 at 9:47 AM, it was revealed that Patient 2 was admitted to the hospital on April 18, 2016 for a hip fracture.

Further review of the medical record revealed that the "History and Physical" form was incomplete and signed by the physician dated April 19, 2016.

During an interview with Registered Nurse (RN 1) on April 26, 2013 at 10:12 AM, RN 1 stated Patient 2's history and physical dated April 19, 2016 was not complete. Patient 2's history and physical was completed on April 24, 2016, a total of (6) six days after Patient 2 was admitted to the hospital. RN 1 stated the history and physical has to be completed within 24 hours after admission.

The facility medical staff bylaws, indicated "6.2 Admission History and Physical: the attending physician shall record a complete admission history and physical examination within twenty-four (24) hours of admission. This report shall include all pertinent findings resulting from an assessment of all the systems of the body."
VIOLATION: GOVERNING BODY Tag No: A0043
Based on interview and record review, the facility failed to ensure the Condition of Participation CFR 482.12 Governing Body was met when:


1. The hospital failed to ensure there was a policy and procedure in place during a ransomware attack (a computer virus that encrypts data so it cannot be read. The perpetrators demand payment to release a passcode to de-encrypt the computer files), There was no policy and procedure in place that was approved by the Governing Body (GB), that specifically detailed a back up plan on how the hospital should respond to unsuspected or known information system security alerts or incidents. This failure resulted in the facility's computer electronic medical records (CEMR) to be unavailable to patient care staff which had the potential to affect the healh and safety and care of all patients in the hospital. (Refer to A-0063)


2 a. The hospital failed to ensure that patient computer electronic medical records (CEMR) were not accessed by unauthorized individuals. The hospital computer data base system was breached by a malware program (ransomware-computer virus that encrypts data so it cannot be read. Then the perpetrators demand payment to release a passcode to de-encrypt the computer files) that was not blocked by the computer security program used by the hospital and created the potential for unauthorized access of any patient medical record. (Refer to A-0441).


b. The hospital failed to develop a policy and procedure that was approved by the Governing Board, that specifically described a back up plan on how the facility should respond to suspected or known information system security alerts or incidents. These failures had the potential for a patient's personal information to be used in ways not authorized by the patient and could have affected patient care. (Refer to A-0441)


3. The hospital failed to ensure, for eight of 30 sampled patients (Patients 9, 10, 12, 13, 14, 21, 23 and 24), had a care plan during the ransomware attack and computer electronic medical record (CEMR) downtime from March 18. 2016 at 11:45 PM to March 25, 2016. This failure had the potential to affect the health and safety of the patients. (Refer to A-0396)


4. The hospital failed to ensure that physician orders for medications were followed and carried out for four of 30 sampled patients (Patients 9, 13, 22 and 23). This failure had the potential to negatively affect the patient's health and safety. (Refer to A-0405)

5. The hospital failed to ensure the following:

a. That the paper Medication Administration Record (MAR) was complete and accurate and physician orders were followed and carried out for six of 30 sampled patients (Patients 9, 12, 21, 24, 13 and 14). This failure resulted in incomplete medical records and had the potential to negatively affect the patient's health and safety. (Refer to A-0438)

b. That the computer electronic medical records (CEMR) were accessible during the week of computer down time. This failure resulted in the past medical records to not be readily available to ensure continuity of patient care. (Refer to A-0438)

The cumulative effect of these systemic practices resulted in the failure of the hospital to ensure the provision of quality health care in a safe environment, which created noncompliance with the Condition of Participation: Governing Body.
VIOLATION: CARE OF PATIENTS Tag No: A0063
Based on interview and record review, the hospital failed to ensure there was a policy and procedure in place during a ransomware attack (a computer virus that encrypts data so it cannot be read). The perpetrators demanded payment to release a passcode to de-encrypt the computer files) that was approved by the Governing Body (GB), that specifically detailed a back up plan on how the hospital should respond to unsuspected or known information system security alerts or incidents. This failure resulted in the computer electronic medical records (CEMR) to be unavailable to patient care staff and had the potential to affect the health, safety and care of all patients in the hospital.

Findings:

The hospital was entered on April 25, 2016 to investigate a self-reported incident of a "ransomware" cyber attack on the hospital's computer data base system.

In an interview with Information Technologist 1 (IT 1) on April 25, 2016 at 8:40 AM, he stated they first noticed the x-ray department computer system (PAC) was "misbehaving," the Web page would not load, at about 10:15 PM on March 18, 2016. He stated they had been notified by telephone by their corporate office of the ransomware attack on their computer electronic medical record network. He stated that they (the hospital) relied on (name of computer anti-malware security system) to keep the security system updated. He stated he was called by the IT Director to come in to the hospital on March 18. 2016 at around 11:45 PM due to a ransomware attack. He stated he started checking the computers in the radiology department and saw the ransomware on the computer in the radiology department. He stated the ransomware was asking for 1 bitcoin (internet monetary system) per computer and 50 or 25 per server. Down time (no access to the CEMR) immediately started in every department on March 18, 2016 at approximately 11:45 PM and lasted until March 25, 2016.

During an interview with the Medical Surgical/Telemetry Director (MSTD), on April 25, 2016 at 9:35 AM, she stated during the downtime (all computer systems were down) period between March 19, 2016 through March 25, 2016, the facility reverted back to paper charting utilizing downtime forms. The MSTD stated that all medications were written on the paper Medication Administration Record (MAR) and an every 12 hour chart check (ensures that all orders have been entered/transcribed and carried out) was implemented. The MSTD stated all laboratory and radiology orders were written on a requisition form and taken to their designated departments for processing. The MSTD stated there were no incidents of missing orders.

A review of Patients 9, 10, 12, 13, 14, 21, 23 and 24's paper medical records showed there was no care plans in the downtime paper medical record to direct the nursing care of the patients.

In an interview with RN 1 and he Director of Performance Improvement on April 28, 2016 at 3:50 PM, they stated there were no care plans developed for the patients during the CEMR downtime with the exception of the Labor and Delivery Department, the emergency room and some Intensive Care Unit patients. (Refer to A-0396)

During review of patient's paper medication administration records (MAR) during the survey, showed that for Patients 9, 13, 22 and 23 there were physician orders that were not followed or carried out. (Refer to A-0405)

During an interview with RN 1, on April 28, 2016 at 3:39 PM, she reviewed the paper medical record and stated there were a lot of transcription errors on the MAR. (Refer to A-0438)

A review of the policy and procedure titled "Protection From Malicious Software Policy" with a review date of October 2015, showed the following:

"Procedure(s):
(hospital name) will subscribe to updates to malicious software checking program

(hospital name) will ensure that updates are being received and applied on a daily basis.

(hospital name) will conduct security training that will include information on:

Potential harm that can be caused by malicious software

Prevention of malicious software such as viruses

Steps to take if a malicious software such as a virus is detected."

There was no detailed back up plan in case the malicious software, first defense checking program failed.
VIOLATION: NURSING SERVICES Tag No: A0385
Based on interview and record review the hospital failed to ensure the Condition of Participation: CFR 482.23 Nursing Services was met by failing to:


1. Ensure the patients had a care plan during the ransomware attack (ransomware-computer virus that encrypts data so it cannot be read. Then the perpetrators demand payment to release a passcode to de-encrypt the computer files) and the computer electronic medical record downtime from March 18. 2016 at 11:45 PM to March 25, 2016. This failure had the potential to affect the health and safety of the patients.(Refer to A-396)


2. Ensure that physician orders for medications were followed and carried out for 4 of 30 sampled patients (Patients 9, 13, 22 and 23). This failure had the potential to negatively affect the patient's health and safety. (Refer to A-0405)

The cumulative effect of these systemic practices resulted in the failure of the hospital to deliver care in compliance with the Condition of Participation: Nursing Services.
VIOLATION: NURSING CARE PLAN Tag No: A0396
Based on interview and record review, the hospital failed to ensure, for 8 of 30 sampled patients (Patients 9, 10, 12, 13, 14, 21, 23 and 24), the patients had a care plan during the ransomware attack (ransomware-computer virus that encrypts data so it cannot be read. The perpetrators demanded payment to release a passcode to de-encrypt the computer files) and computer electronic medical record (CEMR) downtime from March 18. 2016 at 11:45 PM to March 25, 2016. This failure had the potential to affect the health and safety of the patients.


Findings:

In an interview with Information Technologist 1 (IT 1) on April 25, 2016 at 8:40 AM, he stated they first noticed the x-ray department computer system (PAC) "misbehaving," the Web page would not load, at about 10:15 PM on March 18, 2016. He stated they had been notified by telephone by their corporate office of the ransomware attack on their computer network... He stated he was called by the IT Director to come in to the hospital on March 18. 2016 at around 11:45 PM due to a ransomware attack... Ransomware was asking for 1 bitcoin (internet monetary system) per computer and 50 or 25 per server. Down time immediately started in every department on March 18, 2016 at approximately 11:45 PM and lasted until March 25, 2016.

A review of Patients 9, 10, 12, 13, 14, 21, 23 and 24's paper medical records showed there was no care plans in the downtime paper medical record to direct the nursing care of the patients.

In an interview with RN 1 and he Director of Performance Improvement on April 28, 2016 at 3:50 PM, they stated there were no care plans developed for the patients during the CEMR downtime with the exception of the Labor and Delivery Department, the emergency room and some Intensive Care Unit patients.
VIOLATION: ADMINISTRATION OF DRUGS Tag No: A0405
**NOTE- TERMS IN BRACKETS HAVE BEEN EDITED TO PROTECT CONFIDENTIALITY**

Based on interview and record review, the hospital failed to ensure that physician orders for medications were followed and carried out for four of 30 sampled patients (Patients 9, 13, 22 and 23). This failure had the potential to negatively affect the health and safety of the patients.

Findings:

1. During an interview with the Medical Surgical/Telemetry Director (MSTD), on April 25, 2016 at 9:35 AM, she stated during the downtime (all computer systems were down) period between March 19, 2016 through March 25, 2016, the facility reverted back to paper charting utilizing downtime forms. The MSTD stated that all medications were written on the paper Medication Administration Record (MAR) and an every 12 hour chart check (ensures that all orders have been entered/transcribed and carried out) was implemented. The MSTD stated all laboratory and radiology orders were written on a requisition form and taken to their designated departments for processing. The MSTD stated there were no incidents of missing orders.

During a review of the clinical record for Patient 9, it showed that Patient 9 was admitted to the hospital on March 21, 2016 to Rule out Acute Coronary Syndrome (decreased blood flow in the major heart arteries).

A review of the clinical record, the "Physician's Order Sheet" dated March 23, 2016, at 3:00 PM indicated "Coumadin (blood thinner) 5 mg PO (by mouth) today a 5:00 PM."

During an interview with RN 1, on April 28, 2016 at 3:39 PM, she reviewed the clinical record and was unable to find documented evidence that Patient 9 received Coumadin 5 mg on March 23, 2016 as ordered by the physician. RN 1 stated Patient 9 should have received the Coumadin as oredered by the physician.






2. During an interview with the Medical Surgical/Telemetry Director (MSTD), on April 25, 2016 at 9:35 AM, she stated during the downtime (all computer systems were down) between March 19, 2016 through March 25, 2016), the facility reverted back to paper charting utilizing downtime forms. The MSTD stated that all medications were written on the paper MAR and an every 12 hour chart check (ensures that all orders have been entered/transcribed and carried out) was implemented. The MSTD stated there were no incidents of missing orders.

A review of Patient 13's medical record showed the patient was admitted to the hospital on March 17, 2016, with diagnoses that included back pain.

A review of the pharmacy Patient Profile [a form listing the medications ordered by the physician generated by the pharmacy and used during the computer down time so nurses could re-create the patient's MAR (medication administration record) on paper] showed an order for Regular insulin (an injection that lowers blood sugar-given to diabetics) 1 unit/0.01 ml (milliliter) Q (every) 6 hours, subcutaneous (an injection just under the skin and not into the muscle). There was no dosage listed and no sliding scale (dosing of insulin based on the patient's blood sugar results) listed.

A review of Patient 13's paper MAR dated March 19, 2016, showed the following:

Accucheck (a device used to check blood sugar levels) Q6 hours

Regular insulin SC (subcutaneous) sliding scale Q6 hours.

There was no indication on the paper MAR when the insulin was to be given based on the patient's blood sugar level. There was no documentation that the nurse called the physician to clarify what insulin sliding scale was ordered for the patient.

A further review of the paper MAR dated March 19, 2016, showed that a blood sugar was checked at 12:00 PM. The blood sugar result was 139 (elevated-high normal is 100).

A review of the computer electronic medical record (CEMR) Physicians Orders (the nurses did not have access to the computer order during the down time) showed the following:

Start date March 18, 2016 If blood sugar 131 to 160 give 2 units regular insulin (medication to lower blood glucose level).

There was no documentation in Patient 13's medical record that the insulin had been given or that the physician had been notified of the elevated blood sugar.

In an interview with Registered Nurse 2 (RN 2) on April 27, 2016 at 4:29 PM, she stated that the insulin is per sliding scale. The Pharmacy Patient Profile did not have the sliding scale so she did not document it. She stated If she had a high reading (blood sugar), anything above 120, she would call the doctor to clarify the insulin order.

3. A review of Patient 22's medical record showed the patient was admitted on [DATE], with diagnoses that included incomplete abortion (miscarriage).

A review of the Pre-Procedural/Surgical Site Confirmation Form showed an entry under section 4. SCIP (Surgical Care Improvement Project) Antibiotic Administered: The following was documented and signed by a registered nurse:

Clindamycin (an antibiotic) 600 mg (milligrams) IV (intravenous) Date: March 23, 2016 Time: 8:24 AM

In a review of the medical record with Registered Nurse 1 (RN 1) on April 27, 2016 at 3:45 PM, she was unable to find a physician order for the clindamycin. RN 1 acknowledged there should be an order by the physician.

4. A review of Patient 23's medical record showed the patient was admitted to the hospital on March 2, 2016 with diagnoses that included altered level of consciousness.

A review of the patient's paper MAR dated March 19, 2016, showed the following:

Accucheck (a device to check a person's blood sugar) Q (every) 4hr. A blood sugar check was done at 6:00 PM and was 153 (high).

A review of the Pharmacy Patient Profile showed regular insulin 1 unit/0.01 ml SC (an injection just under the skin). There was no sliding scale documentation. The order was not clarified with the physician for the nurse to know how much insulin to give the patient.

A review of the computer physician orders (the nurse did not have access to the computer during downtime) showed a sliding scale order. If blood sugar 131 to 160, give 2 units regular insulin.

There was no documentation in the medical record that the insulin was given or that the physician was notified of the elevated blood sugar..

In an interview with RN 1 on April 28, 2016 at 3:30 PM, she stated that she could not find any documentation that the patient received the insulin.
VIOLATION: MEDICAL RECORD SERVICES Tag No: A0431
Based on interview and record review, the hospital failed to ensure the Conditions of Participation CFR 482.24 Medical Records Services was met by failng to:


1. Ensure the following:

a. That the paper Medication Administration Record (MAR) was complete and accurate and physician orders were followed and carried out for six of 30 sampled patients (Patients 9, 12, 21, 24, 13 and 14). This failure resulted in incomplete medical records and had the potential to negatively affect the patient's health and safety. (Refer to A-0438)

b. That the computer electronic medical records (CEMR) were accessible during the week of computer down time due to the ransomware attack. This failure resulted in the past medical records to not be readily available to ensure continuity of patient care. (Refer to A-0438)


2. Ensure the facility's computer electronic medical record (CEMR) was protected from a ransomeware attack with a ransom demand (a malware intrusion into a computer system demanding money for exchange of passcodes in order to retrieve their system). (refer to A-0441)


3. Ensure the physician orders were authenticated (verified/signed by the prescriber) per the hospital medical staff bylaws for 1 of 30 sampled patients (Patients 2). This failure resulted in incomplete medical records. (Refer to A-0454)

4. Ensure the history and physical examination (H&P) report was completed, as per the hospital medical staff bylaws for 1 of 30 sampled patients (Patient 2). This failure had the potential to affect Patient 2's planned course of treatment and the continuity of care. (Refer to A-0458)

The cumulative effect of these systemic problems resulted in the failure of the hospital to deliver care in a safe setting and be in compliance with the Condition of Participation for Medical Records.
VIOLATION: FORM AND RETENTION OF RECORDS Tag No: A0438
**NOTE- TERMS IN BRACKETS HAVE BEEN EDITED TO PROTECT CONFIDENTIALITY**

Based on interview and record review, the hospital failed to ensure the following:

1. That the paper Medication Administration Record (MAR) was complete and accurate and physician orders were followed and carried out for 6 of 30 sampled patients (Patients 9, 12, 21, 24, 13 and 14). This failure resulted in incomplete medical records and had the potential to negatively affect these patient's health and safety in a universe of 105 patients.


2. That the computer electronic medical records (CEMR) were accessible during the week of computer down time. This failure resulted in old medical records to not be readily available to ensure continuity of patient care.

Findings:

1. During an interview with the Medical Surgical/Telemetry Director (MSTD), on April 25, 2016 at 9:35 AM, she stated during the downtime (all computer systems were down) period between March 19, 2016 through March 25, 2016, the facility reverted back to paper charting utilizing downtime forms. The MSTD stated that all medications were written on the paper Medication Administration Record (MAR) and an every 12 hour chart check (ensures that all orders have been entered/transcribed and carried out) was implemented. The MSTD stated all laboratory and radiology orders were written on a requisition form and taken to their designated departments for processing. The MSTD stated there were no incidents of missing orders.

a. During a review of the medical record for Patient 9, it showed that Patient 9 was admitted to the hospital on March 21, 2016 to Rule out Acute Coronary Syndrome (decreased blood flow in the major heart arteries).

During a further review of the medical record, the "General Admission Order" dated March 21, 2016, at 2:50 AM indicated, "ASA (aspirin) 81 mg (milligrams) PO (by mouth) daily, Nitroglycerin (medication used to treat chest pain) 0.4 mg SL (Sublingual) PRN (as needed) for chest pain, Protonix (anti-acid) 40 mg PO (by mouth) and lipid panel (measures cholesterol levels in the blood)."

During an interview with RN 1, on April 28, 2016 at 3:39 PM, she reviewed the medical record and was unable to find documentation of the ASA, Nitroglycerin, and Protonix on the paper MAR (medication administration record-list of medications). RN 1 stated there were a lot of transcription errors on the MAR. RN 1 further stated she was unable to locate a lipid panel result in the clinical record.

b. During a review of the medical record for Patient 12, it showed that Patient 12 was admitted to the hospital on March 17, 2016 for COPD (Chronic Obstructive Pulmonary Disease-breathing disorder).

A further review of the medical record showed the pharmacy patient profile [a form listing the medications ordered by the physician generated by the pharmacy and used during the computer down time] dated March 19, 2016 indicated "Lipitor (medication used to lower cholesterol ), 10 mg PO (by mouth) daily, Metoprolol (high blood pressure medication) 12.5 mg PO HS (bedtime), and Zoloft (antidepressant) 25 mg PO daily."

During an interview with RN 1, on April 28, 2016 at 4:22 PM, she reviewed the medical record and was unable to find documentation that Lipitor was on the paper MAR dated March 19, 2016. Furthermore, there was no documented evidence that Metoprolol and Zoloft were on the other (undated) paper MAR.

c. During a review of the medical record for Patient 21, it indicated that Patient 21 was admitted to the hospital on March 20, 2016 for general weakness.

During a further review of the medical record, the "General Admission Order" dated March 21, 2016 at 12:20 AM, indicated "IV (intravenous) NS (normal saline-salt water) at 75 ml (milliliters) per hour, Na (sodium) check every 6 hours."

During an interview with RN 1, on April 28, 2016 at 10:43 AM, she reviewed the medical record and was unable to find documentation of the IV Normal Saline order on the paper MAR. RN 1 stated the Sodium level checks every six hours were not carried out per the physician orders. RN 1 stated "I need to go back on the floor and educate."

d. During a review of the medical record for Patient 24, it indicated Patient 24 was admitted to the hospital on March 21, 2016 for SOB (shortness of Breath).

A further review of the medical record showed the "General Admission Order" dated March 21, 2016 at 5:20 AM indicated, "Pulmonary (lung specialist) Consult, hemoglobin A1C (checks blood sugar level over the past 3 months), and echocardiogram (X-ray of the heart)."

During an interview with RN 1, on April 28, 2016 at 2:39 PM, she reviewed the medical record and was unable to find documentation that Patient 24 received a pulmonary consult, a hemoglobin A1C test and an echocardiogram as ordered by the physician.





e. A review of Patient 13's medical record showed the patient was admitted to the hospital on March 17, 2016 with diagnoses that included [DIAGNOSES REDACTED]

A review of the Pharmacy Patient Profile (a document listing all the physician orders the pharmacy had received-used during the computer down time) showed the following:

clonazepam (antianxiety medication) 0.5 mg (milligrams) tablet po (by mouth) Q (every) 12 hours PRN (as needed)

A review of the patient's MAR (Medication Administration Record) hand written during the week the computer electronic medical record (CEMR) was down showed the following for March 19, 2016:

clonazepam Q 12 hours PRN anxiety

There was no dose listed for the medication on the paper MAR. The nurse would not know what strength of medication to give.

In an interview with Registered Nurse 1 (RN 1) on April 27, 2016 at 2:20 PM, she stated that there should be a dose for the clonazepam listed on the MAR.

f. A review of Patient 14's medical record showed the patient was admitted on [DATE] with diagnoses that included [DIAGNOSES REDACTED]

A review of the Pharmacy Patient Profile showed the following:

Rocephin (antibiotic-used to treat infection) 1 Gm (gram)/D5W (5% dextrose in water) 50 ml (milliliters) IV (intravenous-into the vein) daily

Flagyl (a medication used to fight infection)500 mg in 100 ml IV bag Q6 hours

Protonix (stomach acid reducer) 40 mg IV daily

Lactated Ringers (a intravenous solution) 1000 ml Q6 hours

A review of the patient's paper MAR dated March 19, 2016 at midnight, showed the following:

Rocephin 1 Gm/50 ml D5W IVPB (intravenous piggyback-IV medication attached to an IV line) There was no scheduled time that it was to be administered.

Flagyl 500 mg/100 ml at 100 ml/hr (listed on the [DATE] times on the same page) There was no route for it to be given and no scheduled time that it was to be administered.

Protonix 40 mg IVP (intravenous push). There was no scheduled time that it was to be administered .

Lactated Ringers @ (at) 150 ml/Hr IV (listed on the [DATE] times on the same page).

A review of the patient's MAR dated March 19, 2016 at 11:00 PM, showed the following:

Flagyl 500 mg/100 ml at 100 ml/Hr IV (listed 4 times on the same page). There was no scheduled time that it was to be administered.

Lactated Ringers @ 150 ml/Hr IV (listed twice on the same page).

Rocephin 1 Gm/50 ml @ 100 ml/hr. There was no route for it to be given and there was no scheduled time that it was to be administered.

Protonix 40 mg IVP. There was no scheduled time that it was to be administered.

During an interview with RN 1, on April 28, 2016 at 3:39 PM, she reviewed the clinical record and stated there were a lot of transcription errors on the MAR.

2. In an interview with Information Technologist 1 (IT 1) on April 25, 2016 at 8:40 AM, he stated they first noticed the x-ray department computer system (PAC) "misbehaving," the Web page would not load, at about 10:15 PM on March 18, 2016. He stated they had been notified by telephone by their corporate office of the ransomware attack on their computer electronic medical record (CEMR) network. He stated that they (the hospital) relied on (name of computer anti-malware security system) to keep the security system updated. He stated he was called by the IT Director to come in to the hospital on March 18. 2016 at around 11:45 PM due to a ransomware attack. He stated he started checking the computers in the radiology department and saw the ransomware on the computer in the radiology department. He stated he started bringing the computers from the radiology department to the IT department and then started bringing in computers from other places in the hospital. Ransomware was asking for 1 bitcoin (internet monetary system) per computer and 50 or 25 per server. Down time immediately started in every department on March 18, 2016 at approximately 11:45 PM and lasted until March 25, 2016.

In an interview with the Chief Nursing Officer on March 25, 2016 at 4:13 PM, he stated that the computer server was severed from the internet and intranet and they had no access to the CEMRs that were prior to March 18, 2016 when the computers were down due to the ransomware.

A review of a hospital policy and procedure titled "Meditech (computer medical record program) Downtime" with a governing boad approval date of February 2016 showed the following:

"3. Assignment and Procurement of Medical Records

3.2.1 If there is no advance notice of downtime, only active records located within the Medical Records Department may be retrieved."
VIOLATION: CONFIDENTIALITY OF MEDICAL RECORDS Tag No: A0441
Based on interview and record review the hospital failed to ensure that patient computer electronic medical records (CEM were not accessed by unauthorized individuals. The hospital computer data base system was breached by a malware program (ransomware-computer virus that encrypts data so it cannot be read. Then the perpetrators demand payment to release a passcode to de-encrypt the computer files) that was not blocked by the computer security program used by the hospital and created the potential for unauthorized access of any patient medical record. The hospital failed to develop a policy and procedure that was approved by the Governing Board, that specifically described a back up plan on how the facility should respond to suspected or known information system security alerts or incidents. These failures had the potential for a patient's personal information to be used in ways not authorized by the patient and could have affected patient care of all patients in the hospital.

Findings:

The hospital was entered on April 25, 2016 to investigate a self-reported incident of a "ransomware" cyber attack on the hospital's computer data base system.

A review of the policy and procedure titled "Protection From Malicious Software Policy" with a review date of October 2015, showed the following:

"Procedure(s):
(hospital name) will subscribe to updates to malicious software checking program

(hospital name) will ensure that updates are being received and applied on a daily basis.

(hospital name) will conduct security training that will include information on:

Potential harm that can be caused by malicious software

Prevention of malicious software such as viruses

Steps to take if a malicious software such as a virus is detected."

There was no detailed back up plan in case the malicious software of the first line of defense/checking program failed.

In an interview with Information Technologist 1 (IT 1) on April 25, 2016 at 8:40 AM, he stated they first noticed the x-ray department computer system (PAC) "misbehaving," the Web page would not load, at about 10:15 PM on March 18, 2016. He stated they had been notified by telephone by their corporate office of the ransomware attack on their computer electronic medical record network. He stated that they (the hospital) relied on (name of computer anti-malware security system) to keep the security system updated. He stated he was called by the IT Director to come in to the hospital on March 18. 2016 at around 11:45 PM due to a ransomware attack. He stated he started checking the computers in the radiology department and saw the ransomware on the computer in the radiology department. He stated the ransomware was asking for 1 bitcoin (internet monetary system) per computer and 50 or 25 per server. Down time immediately started in every department on March 18, 2016 at approximately 11:45 PM and lasted until March 25, 2016.

In an interview with IT 1 on April 25, 2016 at 11:17 AM, when asked how encrypting files work, he stated, if the files are encrypted by us, we use a passcode to open the file, if they (the perpetrators) encrypt it, he did not know if they could view the CEMR. "I think they just wanted the money, not viewing the files (medical records)."


In an interview with the Network Engineer (NE) on April 25, 2016 at 11:45 PM, he stated that he was notified at 11:40 PM and he came to the hospital and severed the network connection with the Internet and the intranet (corporate system) He stated the ransomware will look for its target and overwrite the computer files, making them unreadable. He stated, "Everything was encrypted by the malware." The system was shut down on March 18, 2016, close to midnight, and was brought back up on March 25, 2016. He acknowledged the computer anti-malware security system did not prevent the breach by the ransomware.

The Information Technology Department staff was unable to say for sure that none of the medical records had been looked at by unauthorized persons.

In an interview with the Chief Nursing Officer on March 25, 2016 at 4:13 PM, he stated that the computer server was severed from the internet and intranet and they had no access to the medical records that were prior to March 18, 2016 when the computers were down due to the ransomware.

During an interview with the Medical Surgical/Telemetry Director (MSTD), on April 25, 2016 at 9:35 AM, she stated during the downtime (all computer systems were down) period between March 19, 2016 through March 25, 2016, the facility reverted back to paper charting utilizing downtime forms. The MSTD 1 stated that all medications were written on the paper MAR and an every 12 hour chart check (ensures that all orders have been entered/transcribed and carried out) was implemented. MSTD stated all laboratory and radiology orders were written on a requisition form and taken to their designated departments for processing.