In early October 2022, CommonSpirit Health, the second-largest nonprofit healthcare system in the United States, was hit by a ransomware attack. The impact of the cyberattack quickly rippled across CommonSpirit Health’s vast network, disrupting the daily operations of numerous healthcare facilities throughout the nation. From delayed surgeries to diverted ambulances, nurses and doctors scrambled to manage this crisis for over two weeks until CommonSpirit Health could restore access to their IT network.
To highlight the grave threat healthcare-related cyberattacks pose to our society, we spoke to a nurse from St. Michael’s Medical Center in Silverdale, Washington, one of the healthcare facilities impacted by the ransomware attack. In this interview, Kelsay Irby shares her intense experience treating patients while facing an unforgiving cyberattack.
(Edited for brevity and clarity)
DPN: Tell us about yourself.
KI: My name is Kelsey Irby. I am a registered nurse (RN) with 15 years of experience. I currently work as a charge nurse in a busy emergency room at a hospital that serves a large demographic area. I started my career as a licensed practical nurse (LPN), but quickly realized it wasn’t challenging enough. So, I went back to school to earn my bachelor’s degree and am now pursuing my master’s degree. I absolutely love my job. I love the controlled chaos of the emergency room. Well, I love it when our computer systems are working fine, and we are properly staffed. However, when staffing is low and computer access is limited, it becomes unmanageable chaos.
Recently, I have become more vocal and outspoken about advocating for the rights of patients and my coworkers, particularly during union negotiations. I take my role as a charge nurse seriously and try to create a better environment for my coworkers. I look out for my coworkers as much as I look out for my patients. As an RN, I understand that the job is demanding and many nurses are burning out, so I try to be a mentor and support my younger colleagues. I’m a bit older than the others, so I’m kind of the mother hen of the team.
Walk us through the day of the cyberattack.
The way my schedule fell, I didn’t work the first couple of days of the outage, so I didn’t really have a sense of the severity of the situation. There have been times we’ve had some downtime for server upgrades or something like that, but it’s usually just an hour or two. No big deal. But this time, it was different. It was not confirmed until around the eighth or ninth day that our hospital had been hit by a cyberattack.
What was it like when you arrived at the hospital?
Well, I came in on the fourth or fifth day of the outage. I knew it would be chaotic, so I came in an hour early just to get a feel for what was happening. I needed to know how we were keeping track of things, how patients were moving from department to department, and so on. It became pretty clear to me that we didn’t have a viable system in place. Some things made sense, and some things didn’t. Day shift staff had a different system than the night shift staff. There was no unilateral direction on how we were supposed to handle this situation.
We usually have minimal paperwork laying around, but when I got there, papers were scattered everywhere. We have new nurses who have never done paper charting before and even some doctors who haven’t done it in a long time. So, there was a massive amount of confusion on how to access information, how to process it, and even basic things like what medications patients were taking or what their code status was. On top of that, everything was incredibly slow. Even a twenty-minute lab result became a lengthy ordeal.
How did the cyberattack affect the hospital’s services?
When our systems work, they allow you to be like the wizard behind the curtain. You can see everything about a patient, such as vital signs, medical history, and lab results. If our systems are down, it becomes difficult to properly evaluate and prioritize patients in terms of the severity of illness. I’m basically left with only a patient’s name and chief complaint, which can be vague and unhelpful in determining the urgency of their condition.
Let’s say someone is having chest pain. It could mean that person fell and broke a rib. It could also mean the person is about to have a heart attack. Because of the cyberattack, there was no way for us to accurately decide which patient needs a room or which patient must see a doctor right away. It was much harder to make decisions about their care.
Speed also became a problem. Normally, we order everything through Epic, an online platform we often use. But during the cyberattack, we couldn’t just click the boxes and have it go to the right department. For example, ordering labs had to be written on a sheet, then sent down to the lab. Sometimes, the orders would get lost in the shuffle or sent to the wrong fax machine. We basically went back to the age of snail mail, where you had to wait days for important test results to come in.
Imagine living your life without a cell phone or computer for 12 days. It would be frustrating in this day and age, right? Now picture if this was a matter of life or death. I cannot overstate how frustrating it was for all of us.
How were nurses and doctors reacting to the situation?
Medical professionals have been trained not to show panic in front of patients because patients can pick up on it quickly. It’s important to maintain a level of calm, as it can have a trickle-down effect on patients and cause more harm than good. My coworkers are amazing people, and they were doing everything they could to get information where it needed to go and patients where they needed to go. I could see the stress on my coworkers’ faces. We were all pretty afraid of losing our licenses or being part of a lawsuit later down the line. I think every one of us expressed this fear at least once. The possibility of making a mistake, like giving medication to someone who had an allergy, and we didn’t know about it, was also hanging over everyone all the time.
The fear of something going wrong was pretty tangible, especially as the days went on. We started hearing rumors that the outage could last a month, or even two months. We didn’t have a clue how long this could be. It’s hard to handle anything if there is no end in sight. We were lucky no one died during that period, but the possibility of it was always present. We know we cannot save everybody. That’s a part of the job, but this was different. This was a unique kind of stress that was hard to handle.
How about the patients?
There were a few patients who were a bit frustrated, but overall, they were pretty understanding of the situation. Over the past year, we’ve seen a shift in public support for nurses. People are becoming more aware of the complex issues that lead to long wait times in the emergency room, like low staffing and burnout. Patients used to get frustrated with nurses when they had to wait for hours, but now they understand that it’s not the nurses’ fault. They see that nurses empathize with them. Nurses understand it is hard for anyone to wait around when they are not feeling well or when their significant other is in pain. Patients are starting to see the challenges nurses face, such as working long hours with no breaks, and how this can lead to burnout. While there are always some people who don’t understand, most patients are understanding and supportive.
Did this cyberattack have any lingering effects on the hospital’s operations?
It took some time to get the handwritten data entered into the system. We processed roughly 1,200 people during the cyberattack, so there were delays in putting all those orders in, uploading lab results, and taking care of billing. This caused the system to slow down, similar to how a computer may slow down when too many tasks are running. We were all hoping when the systems came back online, it would be blazingly fast and super smooth, but when we noticed it was running slow, we were frustrated. We cleared the downtime pool a couple of weeks ago. Although the system is running faster, it is still not as fast as we had hoped. It took a lot of time and effort to log out and log back in to get it to run smoothly.
Can you explain how this attack impacted your professional life?
Nurses tend to have a dark sense of humor. Now, if there is a slight system glitch, like a computer screen freezing, we say things like, “Uh oh… here we go again!” Since the cyberattack, we have all joked about having a little PTSD. But I’m not sure how much of it is a joke. It may be more of a coping mechanism. It was a challenging time for us logistically, emotionally, and professionally. We have all become more aware of the importance of technology in healthcare and its role in ensuring patient safety. It has made us appreciate the system more, and we don’t take it for granted as much. So, when I say I appreciate the computer working today, I really do appreciate it. I mean, we call it the practice of medicine for a reason. We are not perfect, so we must live with a margin of error. When a cyberattack impacts a hospital, that margin of error gets much larger. There was so much room for something to go wrong it became very difficult to feel comfortable with that risk.
How about your personal life?
I ended up getting pretty sick. I worked almost 80 hours that week, so I didn’t have much time with my family either. I’ve worked these kinds of hours in the past, but this situation wore me down. I caught COVID-19 and got a kidney infection, as well as ear and sinus infections. I needed a lot of time to recover after that. I wasn’t the only one who got sick either, so I think stress impacted our collective well-being. After all, there are all kinds of studies that show the effect stress has on your immune system.
What was the most concerning aspect of the cyberattack?
We had a patient come in who was very sick, and we could not get a hold of anyone to tell us their code status. It was a major dilemma. What do we do if they get worse? What if they need to be intubated? Do they even want to be resuscitated? That’s when it hit me that we were really doing a disservice to patients.
This topic hits me on a personal level because my mother passed away from cancer, and her wishes were not honored until I arrived at her hospital. So, as a nurse, I take honoring a patient’s wishes extremely seriously. When we can’t access this kind of information, it puts a lot of moral distress on us. It’s not always black and white, by the way.
Let’s take CPR, for example. Most people think, “Of course I want CPR!” However, some people who are suffering from dementia, or are battling cancer, may not want CPR. They may prefer to go peacefully. I would never want to accidentally resuscitate a patient, ultimately interfering with their dying wish. I would be doing a major disservice to them. I just want to honor their wishes.
How much did you know about cyberattacks and/or cyberwarfare before this situation occurred?
I believe we have all heard of it, right? I don’t know who hasn’t received one of those emails saying your information has been compromised. At this point, I’ve had my bank card numbers compromised a few times. I also heard about those cyber campaigns during the election. But I never knew what it would be like to be in the middle of a massive cyberattack. It was definitely an eye-opening experience to see the amount of leverage a hacker can have in a situation like that.
What would you tell people unaware of the threat of cyberattacks and cyberwarfare?
It’s easy to think you’re immune to it, especially if you’re careful about protecting yourself online. You could change your password every week. You could have implemented 2FA on all your devices. But if you happen to be in a hospital caught in the middle of a cyberattack, you will still be a victim. That attack can compromise your healthcare and slow down the process of getting the treatment you need.
What message would you like to provide for others targeted by cyberattacks?
I would say the same thing I tell my child. Whenever something bad happens, or she makes a mistake, my big question to her is what did you learn? What would you do differently to prevent this from happening again? After that experience, I joined a committee at the hospital working on developing a better process for handling cyberattacks. So, if something like this happens again, we can use the lessons learned. We have been talking to doctors, nurses, and lab technicians to understand their points of frustration and figure out what could be done differently in the future. That’s how people can take power back – learn from their experience, develop a plan, and take action.
It’s important to strike a balance between living our lives and being paranoid, but it’s also important to remember that we can’t let our guard down entirely. We can’t live in a bunker and never leave, but we also can’t believe that everything is completely safe and that systems will always protect us. We should be aware that sometimes those systems fail and consider what we would do in that situation. We often think about this in my department and plan for the worst scenario. We can’t afford to go through another experience like that again. It was truly horrible.
Thank you for your time.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.