EHR Downtime Persists in Wake of Ohio Medical Center Cyberattack

November 15, 2021 - Ongoing EHR downtime at Southern Ohio Medical Center (SOMC) is causing continued appointment cancelations on Monday, November 15. The medical center first alerted patients to “unplanned downtime of clinical systems” on November 11 in a Facebook post.

“While this does not impact our ability to care for our current inpatients, some procedures may be rescheduled,” the post explained.

A few hours later, a subsequent post explained that an unauthorized third party gained access to SOMCs computer servers in a targeted cyberattack. SOMC said it began working with federal law enforcement and internet security firms to investigate the incident, and ambulances were diverted to other hospitals.

On Friday, November 12, the ambulance diversions continued and the SOMC emergency department remained open for non-ambulance issues. Medical Care Foundation Office, Medical Imaging Outpatient, Cancer Services, Cardiovascular Testing, Cardiac Catheterization, Outpatient Surgery, Outpatient Physical and Occupational Rehab appointments were all canceled on November 12.

On the morning of November 12, the 248-bed medical center announced on Facebook that it was no longer diverting patients away from its emergency department but said that it was “continuing to work towards resolving the issues related to the recent cyberattack on our systems.”

On November 15, SOMC posted an update alerting patients that all Outpatient Medical Imaging, Outpatient Cardiac Testing, Outpatient Rehab in Portsmouth, Wheelersburg, Lucasville, and Vanceburg, and Sleep Lab appointments would be canceled on Monday.

According to a November 12 report from WOWK-TV, SOMC reverted back to documenting clinical notes on pen and paper. EHR downtime restricts access to critical information about a patient’s medical history and treatment plan.

Threat actors are increasingly targeting third-party business associates and outpatient facilities. While larger organizations are improving their security postures and implementing technical safeguards, budget restrictions and other priorities may prevent smaller healthcare organizations from adequately protecting their networks from hackers.

According to Mac McMillan, CEO of CynergisTek, healthcare organizations should operate under the assumption that they will inevitably be hit by a cyberattack.

“We need to stop thinking that we are ever going to be completely successful at stopping all the attacks and all the threats,” McMillan asserted in a previous interview with HealthITSecurity.

“You are always going to have weaknesses in systems, you are going to have people that make mistakes, and you are going to have very dedicated threat actors with tremendous resources that can come after you.”

Healthcare organizations should improve their cyber resilience by investing in technical safeguards such as multi-factor authentication and antivirus protection, and consistently assessing third-party risks.

Hackers will continue to find new methods to effectively infiltrate networks. But for the most part, tried-and-true methods such as phishing and ransomware continue to be effective since many organizations are still vulnerable to common cyberattack tactics.

It is also important to recognize that there is nothing convenient about cybersecurity. However, making tactical upfront investments and implementing a thorough incident response plan can save organizations from regulatory troubles and risks to patient safety.