An official from the Guam Memorial Hospital Authority told The Guam Daily Post that withholding information from the public about the multiple instances of “unauthorized access” to the hospital’s network was a strategic move to protect its patients – despite clear concerns raised by GMH nurses that the move put patients’ lives at risk.
“GMHA has maintained the same level of excellent care to our patients during this situation. It has been more challenging, but our staff has risen to that challenge. None of our services have been shut down as a result of the situation. Our health care partners have been tremendous and provided their support wherever needed so that no services were affected,” Cindy Hanson, GMH spokesperson, said Tuesday.
However, in an audio recording the Post obtained of a town hall meeting among GMH Administrator Lillian Posadas, legal counsel Jeremiah Luther and GMH staff, including nurses, that occurred a week after the breach, nurses on the front line were adamant in trying to get the message across to the administration that patient care was compromised by the network shutdown in response to what GMH initially identified as “breaches.”
“How unsafe our practices have been in the last seven days, I don’t think that you guys are understanding that, because there are so many minute things that could have gone wrong – that are wrong – in our practices in the last seven days in the condition that we were working under. If you were in our shoes, you would say no security breach is more important than this patient’s life,” one nurse said with frustration in her voice.
Another nurse heard in the recording, who said she had over 20 years experience in more than 50 hospitals, was appalled at how GMH handled the breach.
“This is the first time that I have ever dreaded going in to work,” the nurse told GMH leadership. “I physically dread … going in tomorrow knowing that all of the patients in this hospital at this moment are at risk. It is beyond a disaster.”
Luther has since met with the nurses heard in the recording.
“I’ve spoken to them individually. From the beginning of this, I’ve been asking staff to make me aware of any specific incident where a patient was harmed, or could be harmed, attributed to the downtime,” Luther told The Guam Daily Post.
No harm occurring, however, does not mean no risk was posed, he said.
“The information that has been presented to me right now, that we’ve had issues with medication and there has been greater risk to patient health that we knew we were going to encounter from going from digital to manual mode,” Luther said, clarifying he wasn’t aware of “a specific instance” of injury due to shutdown systems.
Sen. Joanne Brown, the vice chair of the health committee, recognized Monday that there were no deaths since information and communications systems went offline, but was critical of the hospital’s response to the “unauthorized access” and noted that a visit to the hospital with the speaker and several other senators on Monday left her “uncomfortable.” She said GMH still had not implemented some corrective steps.
Nurses heard in the audio clips, recorded a week after the detected “breach,” questioned why an incident command center was not mobilized when the network initially shut down.
“If you knew, if there was an iota somebody has broke or breached our system, then you should have had … someone initiating an incident command center that day. You should have not waited. This is just like a typhoon. You should have initiated that moment that you knew that,” a nurse said. “Even coming in the next day, it was all helter-skelter because we we were all trying to figure out where we were at and what we need to do for that day and to protect our patient.”
Posadas, heard in the recording, said there wasn’t enough time to develop a plan.
“I try to communicate everything as best I can. In the beginning, when I was told we need to shut down, there was very little time. It was actually already decided that we needed to shut down. There was no time to plan. It was so emergent, … there was no planning. There wasn’t even any time … I didn’t even know if the phone lines would be affected,” Posada said to the apparent dismay of GMH nurses.
GMH, in a statement to the Post on Tuesday, thanked its staff for rising to the “challenge” and preventing services from being shut down, but the struggles the employees overcame to provide continued care during the network shutdown were not detailed.
GMH, however, did have a plan for how and when it would notify the public, and considered when the best time was given the hospital was still trying to identify the unwelcome entrant into its data systems.
“When the unauthorized access was discovered on March 2, we had not identified the source. Information was not shared in order to not alert the entity that had accessed our system without authorization. Had the source been alerted that the unauthorized access had been identified, the concern was they would be able to erase their presence from the system and possibly damage it further,” Hanson said.
That consideration was why the public notification of the breach was delayed, she said.
“We determined that bringing the network down was the fastest and cleanest way to burn any unauthorized users out of the system to make sure they don’t compromise any patient health information or the network itself,” Luther said.
The shutdown was supposed to occur only for an estimated 48 to 72 hours, and began March 4. But as of press time Tuesday, GMH had announced no services being brought back online.
“Obviously, the assessment was wrong,” Luther told the Post.
Staff also may have been justified in airing grievances that the network was shut down without properly accounting for how operations to support patient care would run in manual or analog modes.
“If mistakes were made, then that was probably a mistake the administration made, … I was not involved in that decision to set that up or to not set that up, so I can’t really speculate on the administration’s thinking. … That is a policy decision. I try to stay out of that aspect of the policy and decision-making,” Luther said.
The potential of “downtime” during the estimated shutdown window was also considered, the GMH lawyer confirmed.
“If I was to guess and speculate, it was due to the fact, again, that we were operating under the theory that it would be 48 hours downtime on a weekend with a holiday and that an incident command center was not necessary at that time,” he said.
Luther said he does not have a policymaking role under the administrative division at GMH. He is engaged in evaluation in certain circumstances brought to his attention.
“I’m not omnipotent,” he said.
He said a manual protocol was up and running when he spoke with the Post. The hospital’s information technology department will investigate why the downtime exceeded estimations once the systems are back online, he added.
Luther said his intent was to have the meeting first with GMH staff, and then notify the public, but before the plan could play out, the recording of the town hall meeting was leaked.
When GMH initially discovered the incursion, Luther described it as a “breach,” but said Tuesday he had misused the word to describe the incident to stakeholders who attended the closed-door event on the matter.
Breach, as a verb, is defined as breaking through a barrier or defense.
GMH insisted what occurred was not a “breach” because, Hanson argued, the party who gained unauthorized access to the hospital’s data did not get “past our firewalls.”
Luther told the Post he was informed by the hospital’s IT department, after the town hall, that the incident detected amounted to “unauthorized access.”
The National Institute of Standards and Technology said this occurs when a person gains logical or physical access without permission to a network, system, application, data or other resource.”
A visit from the Federal Bureau of Investigation to the hospital is anticipated Thursday. The GMH IT department has been working around the clock to review the scope of the “unauthorized access,” Luther said.
At this point, Luther said, a look at the nature of the logs and what would be turned over to the FBI does indicate a security flaw.
“What they were actually seeing was that there was a security flaw being exploited, allowing an individual or individuals unauthorized access to the network,” Luther said.
He said, based on the information, the hospital notified the proper authorities, including the FBI, indicating that the hospital’s IT department believes the threat is not localized to Guam and, therefore, kept the Guam Attorney General’s Office out of the loop.
As of Tuesday afternoon, approximately 75% of GMH’s system was restored, Hanson said. “This is a fluid situation and I cannot give you a definitive timeframe,” she said.
- Trademark Attorney Ticora Davis Shares What Business Owners Should Do To Protect Their Intellectual Property
- Attorney given annual award for professionalism
- Business leaders, attorneys clash over changing workers comp
- Law in the Marketplace: Business start-ups and IRAs
- Michigan attorney general settles dispute with Mackinaw City hotel family