publications full of ideas

Three Lessons From a Hospital Under Ransomware Siege


Missouri’s Cass Regional Medical Center (CRMC) was recently hit with a ransomware attack. Existing patients continued to receive care, but incoming trauma and stroke patients were diverted to other facilities. The hospital was forced to shut down its electronic health record (EHR) systems.

The hospital stated that patient information had not been compromised during the episode. It explained that it had had an incident response protocol in place prior to the incident, and activated it within minutes of the attack. Mysteriously, the mechanism of the attack remains unknown. CRMC brought in a cyber forensics firm and contacted law enforcement to assist with the recovery process.

The incident is a vivid reminder that ransomware threats remain a persistent threat in the healthcare sector. Electronic health records are both vulnerable and valuable, which make them the ideal target of opportunity.

However, in minimizing the damage for what could have been a catastrophic incident, it reinforces the value of cybersecurity fundamentals such as:

  • Having an incident response plan in place. The existence of the plan enabled the hospital to transition seamlessly from routine operations to crisis footing, enabling medical staff to focus on health care, while leaving management and technical personnel to address the ransomware issue.
  • Prompt Action. CRMC’s decision to shut down the electronic health record system averted regulatory disaster. Unauthorized access to patient data constitutes a HIPAA breach. The hospital’s prompt action in shutting down the EHR system not only prevented an egregious leak of highly sensitive data, but staved off possible OCR action.
  • Recovery Timeframe: notwithstanding the textbook response, forensic and protection efforts necessitated the gradual resumption of computer operations. The lesson is evident: even the best plans, well executed, may entail the loss of functionality for a time. The availability of manual backups, or alternative mechanisms, is therefore indispensable.

The CRMC episode illustrates that ransomware continues to pose a significant threat to health care institutions. Their vulnerability is compounded by the extensive use of electronic data systems in the healthcare sector. But it also demonstrates that instituting basic breach-response procedures significantly ameliorate the effects of an attack. With ransomware, an ounce of prevention is worth a pound of cure.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or Mike may be reached at 919.783.2851 or

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Mayo named Client Choice Award winner in North Carolina


RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update


Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning


RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list


RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.