Bluewater Health, hardest hit in a massive cyberattack on five Southwestern Ontario hospitals last fall, is belatedly taking steps to modernize its aging technology for storing and sharing patients’ electronic health records.
The Sarnia-based hospital announced on Jan. 10 that it has selected Oracle Cerner, a large U.S.-based health-records vendor, to build its new patient-records system. The upgraded system will not be up and running until the end of this year.
Bluewater is the only hospital that had its electronic medical records stolen. The other four – Windsor Regional Hospital, Hôtel-Dieu Grace Healthcare, Chatham-Kent Health Alliance and Erie Shores HealthCare – use Oracle Cerner to house their patients’ health records, which is recognized as one of the most advanced and secure systems in the world.
As an interim measure, Bluewater is working on restoring the health-information system it has used for more than 30 years. That system, Meditech, has been shut down since the attack last Oct. 23, leaving Bluewater lagging behind the other four hospitals in getting back online.
The breach forced the hospitals to cancel thousands of diagnostic tests and send cancer patients to other health care centres in London, Toronto and Detroit. Emergency departments became busier than normal.
Patient care is pretty much back to normal at all the hospitals, with the exception of Bluewater, which cares for 131,000 residents of Sarnia-Lambton. Its backlog of appointments for MRIs, CT Scans, mammograms, ultrasounds and other tests had grown to 8,000 as of last week from 5,200 in mid-December, said Bluewater spokesman Keith Marnoch.
“We anticipate that the system will be operational for hospital-wide use in limited capacity within the coming weeks,” he told The Globe and Mail.
The hospital’s leadership had committed back in 2013 to updating its system but never followed through. As a result of that decision, the cyberattack was more devastating for Bluewater than the other four hospitals.
Health care facilities are increasingly a favourite target of hackers because they have reams of valuable personal information on patients and relatively weak procedures for securing it, say cybersecurity experts. This information can fetch much higher prices than credit-card details or other information on the dark web, a corner of the internet used for illicit purposes.
“Health organizations often have a history of underinvesting in IT systems and rely on outdated or legacy systems that are vulnerable to exploitation,” says a report on cyberattacks published in the Canadian Medical Association Journal (CMAJ) in November.
Only 17 hospitals in Canada have achieved an international benchmark for the use of advanced IT, ranking them stage 6 or 7, says the Healthcare Information and Management Systems Society, a global technology adviser.
The 17 include Windsor Regional, Hôtel-Dieu Grace, Chatham-Kent and Erie Shores, all of which jumped to stage 6 from stage 2 once Oracle Cerner was installed in 2021. The national average for Canadian hospitals, by comparison, is stage 1.9, the society says.
“We need to ask what controls are in place to prevent these attacks from happening,” said Hubert Wong, a Toronto pediatrician and expert in securing health information as the founder of WonderMD, a software app that connects families with pediatricians across Ontario.
At Bluewater, the hackers broke into the hospital’s Meditech health-information system containing a trove of information on all 267,000 patients seen at the hospital since 1992 – their names, dates of birth, addresses and reasons for seeking care.
From Meditech, the hackers were able to migrate to electronic files at the other four hospitals because all five use the same IT provider, Transform Shared Service Organization. Transform houses Bluewater’s Meditech system and the Oracle Cerner system for the other four as well as files containing payroll information and names of employees and patients.
The hackers were not able to breach the Oracle Cerner system at Windsor Regional, Hôtel-Dieu Grace, Chatham-Kent and Erie Shores. But they made off with names of some patients as well as brief summaries of their medical conditions at Windsor Regional, and names and social insurance numbers for more than 3,000 current and former employees at the other three.
“A shared service model is a very logical thing to save on costs and improve efficiencies but now we’re seeing in this case the drawbacks,” said Vinyas Harish, an author of the CMAJ report and an MD/PhD candidate at the University of Toronto.
Once Bluewater gets its Meditech patient records system back up and running, it will not be connected to other systems on Transform, Windsor Regional spokesman Steve Erwin confirmed to The Globe. He was speaking on behalf of Windsor Regional, Hôtel-Dieu Grace, Chatham-Kent and Erie Shores.
The five hospitals founded the not-for-profit Transform to manage their IT in 2013. Five years later, Windsor Regional, Hôtel-Dieu Grace, Chatham-Kent and Erie Shores, announced plans to upgrade their technology by adopting Oracle Cerner, Mr. Erwin said. Transform manages the Oracle Cerner contract.
For its part, Bluewater has looked at various options for a new health-records system over the past several years, Mr. Marnoch, the spokesman, told The Globe. At the time its partner hospitals made the move to Oracle Cerner, he said, Bluewater had “a stable and appropriate system.”
The hospitals and Transform all declined to disclose the price tag for adopting Oracle Cerner. But back in 2013, a Bluewater executive pegged the cost for just that hospital at $25-million over ten years.
In a news release announcing the adoption of Oracle Cerner, Bluewater chair Margaret Dragan said: “This investment will provide Bluewater Health staff and professional staff with state-of-the-art digital tools to care for our community for decades to come.”
For now, however, Bluewater is operating under downtime procedures, with doctors and nurses reverting to pen-and-paper patient care.