A longtime nurse has seen the impact of cyberattacks up close and personal.
Don Neal is a Certified Registered Nurse Anesthetist (CRNA) with nearly 50 years of healthcare experience. As a self-described “old-timer,” he experienced the shift to healthcare technology firsthand, from using electronic charting to switching to automated blood pressure machines. While he says he still wants “a doctor that’s going to listen to my heart, listen to my lungs, touch my pulse,” he recognizes the value of healthcare technology in his work and how it has contributed to better patient care.
However, he has also experienced both the personal and operational consequences of cyber incidents in healthcare settings when the hospital where he worked was attacked.
Two Separate Incidents, Different Impacts
Before his employer experienced a cyberattack, Neal had been the victim of a data breach that led to identity theft. It was discovered when a fellow nurse told him that she had been alerted that her taxes had been filed without her knowledge, and her refund had gone to someone else. They soon found that almost everyone in his department was affected due to what was probably an inside job.
Ultimately, Don was forced to prove his identity to the IRS to get the situation corrected. Even now, years later, the incident continues to linger. He has a PIN he uses when filing taxes and has to regularly check his Social Security account to make sure no one has filed for benefits.
That experience gave Don a unique perspective on the dangers of cybersecurity incidents when one later affected his patients. A major incident shut down electronic medical records for three months. “You couldn’t get, like, a patient’s history on the computer. You couldn’t get certain lab work. You couldn’t get electronic orders. All that was disrupted.”
The Response Strategy: Shifting to Analog Processes
The hospital immediately moved to prioritize patient care. Fortunately, veterans like Neal were available to help younger staff adapt.
Activating Downtime Procedures
Faced with the loss of their usual tools, the team had to “get back to common sense medicine.” That meant shifting to paper charting for patient records and other analog processes.
However, although the team was prepared, “I would say it slowed care,” he says. “You had to scramble a little bit to take care of the patient. So it certainly introduces an element of chaos to the delivery of care.”
Selective Cancellations
Given the lack of technical support, the hospital decided to cancel a number of procedures, even some critical ones, in favor of waiting for certainty that staff could provide an adequate level of care.
Learning From the Experience
The incident opened Neal’s eyes to the value of security measures the hospital has in place—even when they are a hassle.
The Importance of Security Training
The staff has to complete online training every three to six months to learn about new phishing tactics and other scams. “They even might send out something that’s just a test, just to see if you’re going to open it.”
The Purpose of Multi-layered Authentication
Neal notes he has to log into systems multiple times. “If I’m in a busy area, like endoscopy, where I’m going to do 15 to 20 cases, I’m signing in three times for every case that I’m starting.” When he asked if there was a way staff could just slide a badge to log on, the IT team pointed out that it would be easy to steal and duplicate the badge, or that clinicians could accidentally leave programs open without logging out.
What Could Have Gone Wrong: Critical Vulnerabilities
Knowledge Gap in Younger Staff
Neal noted that many of the younger staff didn’t have any experience with paper charting and other paper-based processes. Luckily, he and others had that institutional knowledge and were able to quickly step in and train their colleagues.
Inadequate Organizational Response
While the hospital’s response to the cyberattack was swift, the reaction to the earlier hack and identity theft was lacking. Employees were offered just a year of credit monitoring, and they were never given any definitive information about the perpetrators, perhaps for liability reasons. When organizations aren’t transparent about breaches and make only minimal efforts to assist employees with the fallout, it can lead to resentment, suspicion, and fear that their private information—and their patients’ information—isn’t safe.
Tips for Healthcare Leaders
- The value of experienced staff. Healthcare organizations should retain and leverage experienced clinical staff who understand both electronic and paper-based workflows, as they become critical during system downtimes. As these staff members retire, regular training sessions can ensure that everyone has the knowledge and skills to shift to downtime procedures quickly.
- Vigilance is required. Individuals must take care and caution in both their professional and personal security habits, given the increasing sophistication of cybercriminals. “I mean, how do you beat these guys?” Neal asks. That’s the job of healthcare cybersecurity professionals—but employees must remember that they’re on the front lines of the fight.
The Human Cost of Cyber Attacks
Don Neal’s decades in healthcare have given him a unique perspective on both the evolution of medical technology and its vulnerabilities. His experience as a victim of personal data theft and a healthcare professional navigating a major cyberattack reveals the long-lasting impact that attacks can have on both patients and staff.
Effective healthcare cybersecurity isn’t just about technology—it’s about people. The institutional knowledge of experienced staff became invaluable when digital systems failed, while the seemingly burdensome security procedures that staff often view as obstacles proved their worth during the crisis. As cyber threats to the industry grow more sophisticated, Neal’s experience highlights a valuable lesson: preparation, transparency, and respect for both technological safeguards and human expertise are more than just best practices—they’re essential elements of patient care in the digital age.
To hear the full discussion, you can listen to my podcast, Cyber Survivor, here.
