The electronic medical records of Mendocino Coast District Hospital (MCDH) were the subject of a computer cyber attack in June. Apparently the hospital's administrative leadership has made little or no effort to inform the public about this problem.
MCDH's Chief Executive Officer (CEO), Bob Edwards, should have known about the cyber attack no later than June 29th, given that the American Hospital Association (AHA) circulated the following bulletin on June 28th: “An evolving cyberattack using a variant of Ransomware has hit businesses worldwide, with particular impacts in transportation and health care. According to press reports, Nuance Communications, a provider of voice and language solutions including transcription services, is among those impacted in the health care sector. Nuance has taken measures to contain the incident, including temporarily taking certain customer-facing solutions offline.”
As of late June, Nuance Communications was the provider of transcription services for MCDH. The AHA bulletin goes on, “The Department of Health and Human Services (HHS) is advising vigilance and following general cyber hygiene practices, such as ensuring that all your systems patches and anti-virus definitions are up to date and educating users on common Phishing tactics...”
While this hospital observer was aware of the problem, it appeared that most Mendocino Coast Hospital District residents had no knowledge, even those who may have suffered through delays in obtaining medical records. I went to the MCDH Planning Committee meeting on Tuesday afternoon, July 18th, fully expecting CEO Edwards to make some sort of announcement about the cyber attack at or near the beginning of the meeting chaired by Dr. Kevin Miller.
On the ther hand Edwards has hardly been a leader imbued of true public transparency, so I also came prepared with several questions to ask on the subject of the cyber attack. One would think that the CEO of a publicly owned hospital district would want that public to know about something as potentially serious as a cyber attack on the hospital's medical records. Edwards gave no opening statement and the meeting went blithely on its way through the agenda, which included a final item entitled, “Request Parcel Tax for November 2017 Election.”
Keep in mind that CEO Edwards and the committee chair create the meeting agenda. Either Edwards or Dr. Miller believed that a parcel tax could be placed on the November ballot, an election one hundred ten days away. Ballot measures must be approved by the County eighty-eight days ahead of any election. With that math in mind, the parcel tax item would have to be ramrodded through a MCDH Board meeting on July 27th. Another footnote to the law, such a ballot measure would require a public hearing, presumably the same July 28th MCDH Board of Directors meeting. Consider how little notice that would have actually given the public.
By the time Michael Reimenschneider, of Eastshore Consulting, went through a powerpoint overview on potential parcel tax or bond measures, Edwards realized that a November, 2017, parcel tax vote was an impossibility. One wonders why he didn't do the basic math before authoring the preposterous agenda item. You can pretty much bet the farm the parcel tax item was an Edwards creation rather than a notion of committee chair Miller, though second thought says, not so fast with your farm wager. After all, it was Dr. Miller who demanded an up or down vote on the future of the Obstetrics (OB) Department be placed on the MCDH Board agenda a month ago.
Onward to some of the questions I put to Edwards near the end of the July 18th Planning Committee meeting. How much medical record dictation was lost? Edwards did not answer.
How many internal [MCDH] medical records were delayed by this cyber attack? Edwards did not give a response.
Did MCDH have a backup plan in place to deal with potential computer hacks/cyber attacks? If not, what plans are being made to rectify the situation? Edwards had nothing to say about this.
When did MCDH inform other hospitals or clinics about the medical record problem? Edwards gave no date.
When did MCDH begin informing patients about the extent of the medical record problem? Edwards did not respond.
Did MCDH put out any kind of public statement acknowledging the problem with its medical record system? If so, where and when? Edwards made no response to this inquiry.
How many MCDH medical records are still affected by this problem? No answer from Edwards.
Is MCDH still contracting with Nuance? If not, what new provider has taken the place of Nuance? No response from Edwards.
In a somewhat related manner, how does the CEO expect MCDH to function properly, let alone in a crisis such as a cyber attack, with so many interim managers? Edwards failed to respond.
Can the CEO explain to this committee and the public the reasons why so many managers have departed MCDH since he took over the Chief Executive Officer position [in April, 2015]? Apparently not, because Edwards did not respond.
In relation to strategic planning, one of this CEO's key points in his own strategic plan for the hospital was producing quarterly “Quality Reports.” There have been no such Quality Reports in the 2017 calendar year. Can the CEO explain this significant hole in his own concept of strategic planning for MCDH? Like all the other questions, Edwards chose not to respond to this.
Bob Edwards, MCDH's CEO had a printed copy of these questions in front of him, yet he chose to sit silent and continue to keep the public in the dark about basic information concerning whether or not the problem was still ongoing, whether or not the hospital has had or is planning for future contingency plans regarding cyber attacks, or simply giving a basic statement about when the problem first came to the hospital's attention and what types of record keeping it impacted.
The last three questions, regarding the departures of so many management level employees from MCDH in the last year or two and Edwards's inability to follow through on his own strategic plans, demonstrate his overall inability to successfully manage the hospital staff and meet even his own expectations.