Lewiston's two hospitals, St. Mary's Regional Medical Center and Central Maine Medical Center, both dealt with cyberattacks in June. (Staff photos)
As St. Mary's Health System and Central Maine Healthcare continue to return to normal operations after separate cyberattacks that shut down their computer systems for most of June, a local legislator is working to figure out what went wrong and how to prevent such an intrusion in the future.
The attacks made it difficult for patients to communicate with their providers or hospital pharmacies while hospital systems were down. Some people could not get imaging, procedures or medications for immediate health concerns, such as diabetes and heart issues.
Tracy Virgin of Peru had an MRI done in April that indicated she was not getting blood to her brain properly, which meant she needed frequent imaging to monitor the issue, she said. She had a stroke years before, so the issue made her nervous. Her doctor, through St. Mary's, sent the imaging order to Rumford Hospital, owned by Central Maine Healthcare.
During the cyberattack in June, she could not reach any of the providers in Rumford to ask about her imaging, she said. Her hope was to have the imaging order sent to another hospital but she did not know who to contact to have it sent elsewhere.
"I had an appointment to have (the imaging) done up here (at Rumford Hospital) and then they canceled it and left me out to dry, basically," she said. "Finally, once St. Mary's got up and running, I called them and said, 'Hey, send this to Portland.'"
Just before Central Maine and St. Mary's systems were fully operational again, she reached her doctor at St. Mary's, who sent her imaging order to Maine Medical Center, she said.
Advertisement
There appear to be no hard regulations for hospitals regarding how they must ensure patients get care for the most vulnerable health conditions. However, patients can file a complaint with the Centers for Medicare and Medicaid after the fact if they feel hospitals or providers have violated federal regulations that protect patients.
Those protections include regulations around patient billing, improper care, unsafe conditions, abuse in home-care facilities and unprofessional provider conduct, along with other aspects of health care services.
State Rep. Julia McCabe, D-Lewiston, who is a member of the Legislature's Health and Human Services Committee, has been in contact with the Lewiston hospital systems and the Maine Department of Health and Human Services to get a better idea of what led to the data breach and the events during it.
She has heard from a number of constituents in the community about instances in which they could not reach their doctors, get medications, access needed procedures or find information about how to contact providers during the system outages, she said.
There are several areas in which legislation could help address some of the issues around hospital cybersecurity, according to McCabe.
To start with, she thinks the state needs to establish cyber security requirements, for which hospitals must abide. Right now there are only federal guidelines, which she said can be sometimes vague, and there seem to be no comprehensive legal requirements holding hospitals to a certain level of cybersecurity or patient continuity during system outages.
Advertisement
"We need a statewide approach to ensuring databases don't go down," she said.
The federal Administration for Strategic Preparedness and Response has established readiness and response recommendations for health care cybersecurity, last updated in 2022. Information in those guidelines ranges from specific to more broad recommendations stating that certain plans should be established, but does not go into further detail.
It recommends systems be put in place regarding how basic patient information should be maintained when hospital computer systems are down, but it does not go into great detail about how to do that. It recommends that hospitals should manage communications without having the ability to use voicemail, but does not go into further detail in that area, either.
Recommendations on how to reduce patient volumes, such as canceling elective procedures, appointments and diverting ambulances, seemed to be used by both hospital systems.
However, the administration's recommendations about internal and external communications seemed to be more specific, suggesting that hospitals should:
* "Decide what information will be disseminated, how often, and in what manner. Appoint a representative(s) to speak on behalf of the organization. For larger health systems, there may be several Incident Command structures to communicate with across facilities;
Advertisement
* "Continually monitor news outlets and social media to stay aware of trending misinformation, public sentiment, and information gaps. Decide what messages are urgent and which are for general knowledge. Transmit using the appropriate tool;
* "Be prepared to answer questions from the media, elected officials, regulators, and the public about the incident, and anticipate requests for information (e.g., is our data safe? Is your system safe?);
* "As a best practice in large-scale cyber incidents, consider avoiding media interviews. Use exclusively written statements (at least at the onset of the incident) to control messaging and avoid legal or compliance issues;
* "And, advise staff and leadership not to speculate as to the cause and effect of a cyber incident over email, which can be discoverable in subsequent civil actions, or to media outlets (or other public venues) where information can be exploited."
McCabe would like to look to other hospital systems or state legislatures who have developed strategies to address hospital cybersecurity issues and possibly implement solutions that could work in Maine, she said.
She would like to see some kind of reimbursement for St. Mary and Central Maine patients who had to pay for care out of pocket during the system outages to get care from outside providers because they could not reach their providers, she said.
Advertisement
"I think it's important for people to be made whole in these circumstances," she said.
But solutions might be difficult to navigate with looming cuts to Medicaid at the federal level that Congress just approved, she said. She is concerned that if hospitals have to spend more on cybersecurity, it could impact direct patient care. She is not opposed to setting aside state funds to help hospitals pay for better cybersecurity systems.
But before any hard pieces of legislation can be put forward, she said, there needs to be more clarity on what caused the system to become infiltrated and why the hospitals struggled to get communications out to its patients during the outage.
Neither St. Mary's nor Central Maine Healthcare officials responded to requests for comment. Both hospital systems are being sued for data leaks that occurred following the cyberattacks.
Copy the Story Link
Comments are not available on this story. Read more about why we allow commenting on some stories and not on others.
We believe it's important to offer commenting on certain stories as a benefit to our readers. At its best, our comments sections can be a productive platform for readers to engage with our journalism, offer thoughts on coverage and issues, and drive conversation in a respectful, solutions-based way. It's a form of open discourse that can be useful to our community, public officials, journalists and others.
We do not enable comments on everything -- exceptions include most crime stories, and coverage involving personal tragedy or sensitive issues that invite personal attacks instead of thoughtful discussion.
You can read more here about our commenting policy and terms of use. More information is also found on our FAQs.
Show less
Send questions/comments to the editors.
filed under: auburn maine, central maine healthcare, Central Maine Medical Center, cybersecurity, lewiston maine, st. mary's health system, st. mary's regional medical center
" Previous
How cheap weed from 'gray market' growers ends up on Maine dispensary shelves
Next "
Pedestrian fatally struck by car in New Gloucester Related Stories Latest Articles