| Top | |
| Newsletter 10/27/2021 | Back to Contents |
|
RIP Nicko Silar
The tragic story of baby Nicko Silar did get some attention from the mainstream press. None of the reporting of the incident is as gripping, horrifying, and appalling as are the facts as laid out in the Civil Complaint filed in the CIRCUIT COURT OF MOBILE COUNTY, ALABAMA by TEIRANNI KIDD, the mother of Nicko, on June 20, 2020, Case No CIVIL ACTION NO. 02-CV-2020-900171. For those wish to follow along at home, a copy of the 39 page Complaint is available here from Docucloud, a common site for journalists to publish court documents. The facts of the case, as stated in the Complaint, are fairly easy to summarize. Quoting from the Complaint. 1. On July 9, 2019, Springhill Memorial Hospital
suffered a serious ransomware attack that blocked and encrypted the
hospital's computer systems, network systems, and data (hereinafter
“cyberattack’). On the same day, Springhill Memorial Hospital told media
outlets that it experienced a “network event” but that the issue “has
not affected patient care.” 2. Teiranni Kidd presented to Springhill Memorial Hospital on July 16, 2019 but was not told that the hospital's computer systems had been hacked, that they were not operating as needed, and that patient safety was implicated and could be compromised. Consequently, she was admitted to Springhill Memorial Hospital on July 16, 2019 for induction of her pregnancy due to gestational hypertension. At that time and throughout her admission, Teiranni had no knowledge of the effect that the cyberattack was having on Springhill Memorial Hospital, on hospital operations, or the quality of patient care. 2a. Prior to her July 16, 2019 admission, Teiranni had "routine prenatal care and an uneventful pregnancy," according to her medical records. An ultrasound performed on July 9, 2019 was normal, with the report indicating normal fetal cardiac rhythm, normal fetal abdomen, and normal biophysical profile (movements, breathing, tone, and amniotic fluid volume) 3. Upon information and belief, the only fetal tracing that was available to healthcare providers during Teiranni's admission was the paper record at her bedside. Because numerous electronic systems were compromised by the cyberattack, fetal tracing information was not accessible at the nurses’ station or by any physician or other healthcare provider who was not physically present in Teiranni’s labor and delivery room. As a result the number of healthcare providers who would normally monitor her labor and delivery was substantially reduced and important safety-critical layers of redundancy were eliminated. 3a. Upon information and belief, as a result of the cyberattack, nurses and other healthcare personnel were forced to use outdated paper charting methods and paper documentation to record and document Teiranni’s labor and Nicko's delivery. Some of the paper forms used outdated terminology and had not been used in years. 4. Following her birth, Nicko was diagnosed with hypoxic ischemic encephalopathy, anuria, acute kidney injury, acute tubular necrosis, hyaline membrane disease, seizures, perinatal depression, transaminitis, hypocalcaemia, hyponatremia, and a pneumothorax. 4a. Nicko was transferred to USA Women's & Children’s Hospital and spent months in the neonatal intensive care unit. 4b. Nicko was profoundly brain-injured, required frequent oxygen supplementation, fed through a gastrointestinal tube, and needed medication administration around the clock. 5. Wantonly concealing and/or failing to reveal the true facts and circumstances surrounding the cyberattack and its effect on the hospital's ability to provide patient services to Teiranni's and Nicko's treating physicians and medical consultants. 5a. As a proximate consequence of the wantonness as set forth hereinabove, Nicko Silar died on April 16, 2020. What I find appalling about this case, besides the obvious, is that the events occurred in 2019. If it were say 2015, maybe the Hospital's ignorance of the devastating effects of ransomware, could be a mitigating factor at trial. By 2019, every chief executive of every kind of enterprise that is networked (Remember there is only one network.) had to know that a ransomware attack could cripple the functions of the organization. Also, the Complaint lays out with great detail that these public denials of any systemic cascading failures of networked devices hospital wide were being uttered at the exact time that Springhill Memorial Hospital was experiencing systemic cascading failures of networked devices hospital wide. The case of baby Nicko also gives credence to
research published earlier this year titled,
Perspectives in Healthcare Security, an
industry report that examines attitudes, concerns, and impacts on
medical device security as well as cybersecurity across large and
midsize healthcare delivery organizations.
The report is in the format of a PowerPoint Presentation and is
available here.
The first bulleted point of the PowerPoint is the startling assertion that "48% of hospital executives reported either a forced or proactive shutdown in the last 6 months as a result of external attacks or queries." The HIPPA Journal reported in September that "During the past 2 years, 43% of respondents said their organization had suffered a ransomware attack, and out of those, 67% said they had one while 33% said they had more than one." According to the report, health care providors now have a better idea of the depth of the problems they face due to ransonware, declaring "61% of healthcare organizations said they are not confident or have no confidence in their ability to mitigate the risks of ransomware." One not so obvious factor contributing to this rise of ransomware attacks is the increasingly need due to Covid restrictions of vendors and other third-party actors having remote access to hospitals' computer networks. "Business associates of healthcare organizations are being targeted by ransomware gangs and other cybercriminal organizations. Cybersecurity at business associates is often weaker than their healthcare clients, and one attack on a business associate could provide access to the networks of multiple healthcare clients." Demonstrating it is, in fact, one single network that we all connect to. And, of course, the seemingly universal rejection of the need for hospital adminstrators to invest the resources needed to thwart ransomware attacks. "Low levels of investment and skill gaps in cybersecurity were highlighted as possible contributing factors, with just 11% of respondents stating cybersecurity as a “high priority” for spending." Like so many issues challenging Americans' shibboliths of reality, it takes a well publicized death to effect needed change. And here there is reason for optimism going forward. Unlike the See no REevil — et al — attitudes of the administrators of Springhill Memorial Hospital, many hospitals are now responding proactively to mitigate the dangers ransomware poses. Ars Technica reported in August that "Dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances following a ransomware attack that has knocked out staff access to IT systems across virtually all of their operations." In the same report, it was noted that in 2021 already "38 attacks on health care providers or systems have disrupted patient care at roughly 963 locations, compared with 560 sites being impacted in 80 separate incidents from all of 2020." It is hard to argue with the reality that is slapping you in the face. What the reporting and statistical analyses indicate, and the sad story of baby Nicko Silar proves, is that AT ANY ONE POINT IN TIME; AT ANY ONE LOCATION IN ANY ONE STATE; ANY ONE HOSPITAL HAS A 50% CHANCE OF BEING SHUTDOWN DUE TO RANSOMWARE. My recollection is I wrote my first post on ransomware in January 2014.
|
| Back to Top |