More safeguards are needed as reliance on technology and electronic records increases
People feel safe at hospitals. Security guards are posted at main entrances, visitors are subjected to tight scrutiny, and clinicians are working around the clock to make sure patients leave better off than when they were admitted. Despite these practices, hospitals across the United States are learning they are vulnerable to powerful, nearly invisible threats that are proving to be more difficult to see and eradicate than harmful microscopic pathogens.
Hollywood Presbyterian Medical Center (HPMC) learned this the hard way in early February, when it was the target of a malware attack that encrypted computer files, locking access to its primary systems and preventing it from communicating electronically. To obtain the decryption key and restore access, HPMC paid hackers 40 bitcoins (digital currency)—the equivalent of $17,000.
The hospital issued a statement from president and CEO Allen Stefanek to explain the decision: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”1
Following close behind the attack at HPMC, a breach at MedStar Health in metro Washington, D.C., in March blocked access to patient medical records. Clinicians could read but not update files.2 The health system’s IT security experts shut down the entire computer network, and leadership set up a command center to coordinate operations in its hospitals and outpatient facilities. Staff members relied on their emergency preparedness training to continue operations until access was restored after several days.
Costs and Concerns
Cybersecurity in hospitals is now a pressing health concern. In 2015 alone, more than 94 million health records were compromised, costing affected institutions approximately $46 billion, the American Action Forum reports.3
Although MedStar Health and HPMC stated that no patient records were compromised in the cyberattacks at their facilities, breaches are not resolved without consequences.
“One of the problems we start seeing is as these hospitals are losing access to this data, it’s actually impacting patient care,” explained Kevin Johnson, CEO of Secure Ideas. Johnson is a self-proclaimed “ethical hacker.” Johnson hacks into companies’ computer systems and then tells them how he did it, so that they can prevent real hackers from doing the same thing.
“If you don’t have access to your medical records, how do you treat the patient?” Johnson asked. “My wife is allergic to penicillin—how do they know that? It’s on her arm band while she’s in the hospital, but that’s really not the most effective way to deal with it.”
Medical equipment is another cause of concern because it’s often run on the same computer network where patient records are stored. Consider the events of June 2015, when 1.4 million Jeeps were recalled after hackers proved Chrysler’s UConnect software could be manipulated—allowing the hackers to take control of the vehicles’ dashboard functions, including steering and brakes.
In terms of medical equipment, in 2015 the Food and Drug Administration (FDA) alerted hospitals using Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems about possible software weaknesses. These systems continuously deliver anesthesia or therapeutic drugs to patients. The FDA was alerted when a blogger posted detailed information about how someone could remotely interfere with the pumps’ functioning and even modify dosages.4 The FDA statement read in part: “An independent researcher has released information about these vulnerabilities, including software codes which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.”
More Technology = More Risk
Americans are much more accustomed to hearing about cybersecurity dangers in relation to personal finances and shopping than their hospital stays.
“Unfortunately, the breach of healthcare information is different for a consumer (patient) than the breach of a credit card number,” noted Ben Desjardins, director of security solutions at Radware. “The latter can be changed, but the former is generally tied to certain types of care that the patient might very much want kept confidential.”
Hackers have started to realize and take advantage of this. Many hospitals are still coming to terms with the reality and trying to catch up.
“The biggest threat providers and hospitals have to deal with right now is the fact that their networks are very, very complex—they don’t have control of their entire network,” noted Johnson, who touched on some of these points during a presentation at the 2016 conference of the Healthcare Information and Management Systems Society. “They have lots doctors on their network who don’t work for them; equipment that they don’t own … so the biggest problem they have is they don’t know what vulnerabilities exist and the attackers are going after those vulnerabilities.”
Cybersecurity concerns will grow as reliance on technology increases. Only 17% of physicians and 9% of U.S. hospitals were using electronic health records (EHR) back in 2008. But current reimbursement policies not only encourage adoption of EHR but also include a mandate tied to reimbursement from Medicare and Medicaid.5 More and more people are now receiving medical care due to the Affordable Health Care Act, which means more records are being added and updated every day. Meanwhile, individual hospitals and practices have been rolling out their own new technologies with online patient portals and smartphone apps—some of which can facilitate real-time interactions between patients and physicians. But the more technologies that are used in the healthcare industry, the more safeguards should be put in place to keep sensitive information secure.
The Best Defense
So what strategies should health systems and their employees implement to reduce the risk of cyberattack?
“If Hollywood Presbyterian had had a good backup of their data, this ransomware would have been a non-issue,” Johnson said. He advises that it’s equally important to routinely verify that backups are working properly. “Backups don’t prevent [attacks] from happening—they prevent them from having a significant impact.”
Another strategy is to make sure staff members are educated about all potential threats—some of which are hiding in their inboxes. It’s important that hospitals encourage and enforce preventive behaviors that will benefit their entire network.
“Training and auditing employee behavior is critical,” noted Shaun Jamison, PhD, JD, a professor at Concord Law School of Kaplan University. “Simple actions like using strong passwords, not posting your password in your workstation, locking terminals when not physically present, and not opening attachments to email unless you are certain they’re legitimate are examples of ways employees can protect the security of patient data.”
Healthcare employees should also help protect their own information, which may be stored in the same hospital database as patient records. Hospitals with good cybersecurity practices are not only saving themselves from paying a ransom, but also indirect expenses that follow: lawsuits filed by employees and patients. Target, for example paid $10 million to settle a class action suit filed by its customers—and this price tag doesn’t include the millions the company had to pay for counsel.
“Some of the legal expenses may be covered by insurance, depending on the policy. Unfortunately, data breaches are often not covered,” Jamison explained. “This type of coverage is somewhat new and growing; it would require careful study to make sure the organization is getting the coverage it needs.”
To avoid even more fines, such as those associated with violation of the Health Insurance Portability and Accountability Act, a victimized hospital or health system must disclose a breach to all people affected—and sometimes, state officials and the media.
“It may be wise to do a notification of a breach, even if no personal health information is compromised,” Jamison said.
A more efficient way of avoiding cost is for hospitals to put their resources into making sure a hack doesn’t happen in the first place. “In the case of the Presbyterian Hospital attack, it seems no long-term damage has been done to any particular patients, though the same cannot be said of the hospital and the trust of the community it serves,” Desjardins said. “It is not at all hard to envision an attack that causes a long enough network outage that critical care is compromised.”
HPMC declined to comment on the breach and its subsequent decision to pay ransom. Sharing its story with the public, however, already has helped raise awareness about cyber threats and encourages hospitals and patients to be proactive.
- Hollywood Presbyterian Medical Center website. 2016 http://bit.ly/24bpj3g
- MedStar Health turns away patients after likely ransomware cyberattack. The Washington Post. http://wapo.st/1RpaXqx 4.
- American Action Forum. Are Electronic Medical Records Worth The Costs Of Implementation? http://bit.ly/1VY2exj
- US Food and Drug Administration. Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication. http://1.usa/1JgpYXl
- The White House. More than half of doctors now use electronic health records thanks to administration policies. http://usa/gov/1UYvMLQ