An excellent “Perspective” op-ed article published online earlier this month in The New England Journal of Medicine is bringing forward for industry leaders to consider, a very important and alarming new possibility around data breaches involving PHI (protected health information). Could criminal hackers actually tamper with critical clinical information contained within electronic health records (EHRs), to the potential devastation of patients? Yes, it’s possible—and we need to talk about it.
Under the headline “Threats to Information Security—Public Health Implications,” William J. Gordon, M.D., Adam Fairhall, A.L.M., and Adam Landman, M.D., M.I.S., M.H.S., write online in the July 12 New England Journal of Medicine about the accelerating threats to patient care being posed by hackers. Noting recent high-profile incidents, they write, “In health care, information security has classically been regarded as an administrative nuisance, a regulatory hurdle, or a simple privacy matter. But the recent ‘WannaCry’ and ‘Petya’ ransomware attacks have wreaked havoc by disabling organizations worldwide, including parts of England’s National Health Service (NHS) and the Heritage Valley Health System in Pennsylvania. These events are just two examples of a wave of cyberattacks forcing a new conversation about health care information security. With the delivery of health care increasingly dependent on information systems, disruptions to these systems result in disruptions in clinical care that can harm patients. Health care information security has emerged as a public health challenge.”
Further, the authors note, “Threats to information security plague many industries, but the threats against health care information systems in particular are growing. Data breaches, generally described as an impermissible use or disclosure of protected health information, are particularly prevalent. Nearly 90 percent of health care organizations surveyed by the Ponemon Institute (which does independent research on privacy, data protection, and information security policy) suffered a data breach in the past 2 years; meanwhile, 64 percent of organizations reported a successful attack targeting medical files in 2016—a 9 percent increase in just 1 year.1 Multiple causative factors are involved in the uptick in attacks against health care systems, but some reasons cited in that study include low organizational vigilance, inadequate staffing and funding for information technology security, insufficient technology investment, and the underlying value of health care data as compared with data from other industries.”
The authors go on to explain to their audience about how DoS (denial of service) and ransomware attacks work. “Although DoS and ransomware attacks disrupt systems and can significantly impair the ability to deliver efficient care, they do not necessarily expose patient information,” they note. And then they state that, “More worrisome are attacks that result in breaches of protected health information and personally identifiable information,” which can be black-marketed on the Dark Web, or “used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft.”
Now, here’s where the authors break ground in terms of the way in which they articulate a threat that until now has tended mostly only to be whispered about. They write that “The potential for manipulation of clinical systems and clinical data constitutes an additional threat. The effect of such threats on medical devices has been well described. In 2015, the Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert regarding an infusion system that could allow an attacker to remotely control the device and alter therapy administration. In January 2017, the FDA issued a similar warning for St. Jude Medical’s radio-frequency–enabled implantable cardiac devices and transmitters. Fortunately, a software patch could be applied automatically to the affected transmitters,” they note. Further, they write, “Manipulation of patient data could be even more damaging. An attacker with access to a laboratory system could modify data—changing potassium values, for example. Unsuspecting health care providers could react to the falsified potassium values, providing treatment that could harm the patient. Radiology protocols, diagnostic reports, genetic data, progress notes, and electronic prescriptions—the list of possible targets goes on. Protecting our information systems and our health data is critical to ensuring the safe delivery of health care.”
Let’s think about that for a moment—the possibility that some evil or deranged individuals might consciously and purposely decide to manipulate data in order to harm and possibly even kill, patients. At first, such a prospect might sound like the stuff of science fiction or horror novels. But, really? At a time when individuals are engaged in every form of despicable terrorism and other acts of violence and desecration towards their fellow human beings, can we afford to be naïve and believe that something like this couldn’t happen? Because it could.
So the reality is that CIOs, CMIOs, CTOs, lab leaders, pharmacy leaders, and everyone else involved in clinical informatics and IT and clinical leadership in hospitals, medical groups, and health systems, needs to understand that we’ve entered a new phase in the history of the healthcare system in which the unthinkable is possible—and everyone needs to prepare for the unthinkable.