CAP TODAY Pathology/Laboratory Medicine/Laboratory Management
Raymond D. Aller, MD, and Hal Weiner
Hospital cyberattack a brief setback with lasting gain
Deal gives Sunquest access to clinical interpretation tool
Seacoast adds functionality to lab information system
Hospital cyberattack a brief setback with lasting gain
A cyberattack that paralyzed the computer systems at a rural West Virginia hospital last summer could have brought the laboratory’s work to a screeching halt. But that didn’t happen, thanks, in part, to the downtime procedures in place throughout the laboratory and the low-tech nature of the lab’s pathology operations.
“This was pretty devastating. Everything [in the hospital information system] had to be rebuilt,” says Deby Templeton, administrative director of the laboratory at Princeton Community Hospital, a 200-bed hospital with a substantial Medicare and Medicaid patient population. “But we went on; we did not discontinue any type of testing. We just tried to get through it.”
The virus struck the hospital at 7:30 AM on June 27. The culprit was initially thought to be Petya, notorious ransomware that demands payment for unlocking an institution’s data. “Before we could decide whether to pay ransom, the [payment] site was shut down, and we were left to figure this out on our own,” says Wayne Richmond, Princeton’s manager of information technology systems. “That’s when we realized it was NotPetya, a purely malicious virus designed to look like ransomware.” The virus, which also infected at least two other hospitals in West Virginia, entered Princeton through a vendor, he explains. “The patch [that would have prevented the attack] came from Microsoft two-and-a-half hours after we were attacked, followed by patches from our antivirus and anti-malware vendors.”
All the hospital’s internal servers were infected, including the one hosting Microsoft Exchange, the hospital’s email service. (The Linux-based phone system continued to operate.) “Because we didn’t know how badly we were hit, we immediately shut down our Internet connections,” Richmond says. The hospital’s Meditech electronic health record system and disaster-recovery system reside in the cloud, so no patient data were lost. But access to the EHR system interfaces was restricted, he adds, until the IT staff could replace the hard drives, rebuild the servers, and have Meditech perform stringent testing and verification that the data were not corrupted—a process that took nearly two months.
“Meditech worked with us remotely, and everyone worked very well together,” says Richmond. Based on past experience, the vendor “had some understanding of what had happened and was very anxious to help us.”
Although the hospital’s lab information system is a module of the Meditech EHR system, its anatomic pathology services are “still somewhat low-tech, so we were certainly luckier than the clinical side of the laboratory,” says Thomas C. Martin Jr., MD, medical director of the laboratory. “We usually get paper requisitions from the OR or from physicians’ offices. We make glass slides; nothing is really digitized or computer based other than the reporting. All of our processors, our immunohistochemical stainer, were not connected to the network and not affected by the attack. In surgical pathology and cytopathology, we were able to continue to do our work.”
It wasn’t all smooth sailing, however. The system for dictating pathology reports was unusable, “so one of the first things I did,” says Dr. Martin, “was run out to Walmart and buy two handheld digital recorders, about $30 each, so that I and the other pathologist could do our surgical pathology reports.” Dr. Martin had a hospital-assigned encrypted laptop computer, which was not connected to the hospital network, at home, and he used it to transcribe dictation from the reports. “We then printed out Word documents, hand-signed them, and faxed them to physicians or dropped them in their in-boxes.” Dr. Martin maintains that the attack did not affect the number of analyses he and his colleague performed and had little to no impact on turnaround time in this area.
The clinical side of the laboratory, on the other hand, did experience a slowdown in volume of tests processed and turnaround time. The lab, which is staffed around the clock and performs about 2,000 procedures each weekday, serves four off-site clinics, three nursing homes, and a number of physician offices, Templeton says.
When she learned of the attack upon arriving at work, Templeton and her staff instituted the downtime procedure they had practiced many times during brief system outages: receiving orders and communicating results via paper and fax. “One of the first things we did was to ask our analyzer vendors to [come on site and] check on the analyzers to make sure they were clean and provide Meditech with verification,” she recounts. The instruments’ capability to analyze samples was not affected, so the lab continued to use them and printed paper reports.
What had the most profound effect, Templeton says, was the loss of Iatric Systems’ MobiLab, a handheld device that alerts phlebotomists to stat requests and prints barcoded labels at the bedside. “Until we got the stat labels to print, every stat had to be called in to us,” she explains. Outpatient requisitions for all testing routinely were submitted in paper form, but with the interface to the EHR gone, all inpatient work also had to be communicated in paper form. After drawing the patient’s labs, the phlebotomist “would hand-label all of the tubes and hand-carry them back to the lab because the pneumatic tube system was affected. It was bad,” Templeton says. Without the barcoded label, each sample placed on an analyzer had to be manually entered into the instrument, “so that means staff were typing patient name, location, date of birth, the test being ordered, on every single specimen they processed. It was incredibly time-
consuming.”
Templeton and her staff “blew up a fax machine” during this time, she says, and generated “thousands of pounds of paper with results and requisitions attached to the results—it’s just a mountain.” The paper reports will have to be digitized and put in the EHR, she adds, “but, fortunately, we’ve been given approval to outsource that.” Even though the laboratory was already staffed around the clock, employees logged a lot of overtime, Templeton continues. “I was very proud of the lab staff throughout this ordeal for all of their hard work, their teamwork, and positive attitudes. That pride extends to the entire facility.”
For the hospital IT department, the attack reinforced the importance of having a disaster recovery plan that’s been tested through practice. “My team had just been through a mock disaster the month before,” says Richmond, “so they almost didn’t believe me when I declared the real one.”
Dr. Martin believes the pathology department was “as prepared as we could have been, except we were assuming we would be back up in a few hours.” His advice: Have a backup dictation system in place and be “really, really diligent about matching demographic information on requisition sheets with what you type into the reports you put out.” Templeton also emphasizes the need for a solid downtime procedure, adding that labs should “make sure your records are well organized—know that this can happen and that it might last weeks rather than hours.”
—Jan Bowers
Roche to acquire Viewics
Roche has reported that it is purchasing the laboratory business analytics firm Viewics.
“This acquisition allows Roche to expand its leading position in the integrated core lab with business analytics capabilities, enabling laboratories to make faster data-driven informed decisions on their operations and processes,” according to a press release from Roche.
Viewics’ infrastructure-agnostic, interactive, cloud-based solution can be accessed from multiple devices, including smartphones, tablets, and desktop computers.
The transaction was expected to close at cap today press time.
Roche, 800-428-5076
Deal gives Sunquest access to clinical interpretation tool
Sunquest Information Systems announced that it has integrated the N-of-One clinical interpretation solution into its Sunquest Mitogen lab information management system and genetic analysis and reporting software suite for molecular diagnostics and precision medicine.
Incorporating the tool into Mitogen provides users of the latter with access to clinically actionable genetic reports that provide information on a cancer’s genetic signature, potential treatments, clinical trials, and other data.
The partnership between Sunquest and N-of-One “will allow pathologists in hospitals and reference laboratories to streamline delivery of time-critical, case-specific genetic reports with high-quality clinical interpretation for next-generation sequencing panels of all sizes,” Sunquest reports.
Seattle-based CellNetix Pathology and Laboratories, a provider of cancer genomics testing and other anatomic pathology services, is the initial installation and testing site for the combined offering.
Sunquest Information Systems , 877-239-6337
Seacoast adds functionality to lab information system
Seacoast Laboratory Data Systems has released a report scheduler module for its SurroundLab Plus LIS for the high-volume commercial lab market.
With the new tool, management reports in SurroundLab Plus can be slated for automatic delivery according to a specified schedule, whether hourly, daily, weekly, or according to other parameters. The reports can be sent to any number of recipients via email or other modes of delivery.
Seacoast Laboratory Data Systems
, 603-431-4114
Dr. Aller teaches informatics in the Department of Pathology, University of Southern California, Los Angeles. He can be reached at raller@usc.edu. Hal Weiner is president of Weiner Consulting Services, LLC, Eugene, Ore. He can be reached at hal@weinerconsulting.com.