An excellent “Perspective” op-ed article published online earlier this month in The New England Journal of Medicine is bringing forward for industry leaders to consider, a very important and alarming new possibility around data breaches involving PHI (protected health information). Could criminal hackers actually tamper with critical clinical information contained within electronic health records (EHRs), to the potential devastation of patients? Yes, it’s possible—and we need to talk about it.
Under the headline “Threats to Information Security—Public Health Implications,” William J. Gordon, M.D., Adam Fairhall, A.L.M., and Adam Landman, M.D., M.I.S., M.H.S., write online in the July 12 New England Journal of Medicine about the accelerating threats to patient care being posed by hackers. Noting recent high-profile incidents, they write, “In health care, information security has classically been regarded as an administrative nuisance, a regulatory hurdle, or a simple privacy matter. But the recent ‘WannaCry’ and ‘Petya’ ransomware attacks have wreaked havoc by disabling organizations worldwide, including parts of England’s National Health Service (NHS) and the Heritage Valley Health System in Pennsylvania. These events are just two examples of a wave of cyberattacks forcing a new conversation about health care information security. With the delivery of health care increasingly dependent on information systems, disruptions to these systems result in disruptions in clinical care that can harm patients. Health care information security has emerged as a public health challenge.”
Further, the authors note, “Threats to information security plague many industries, but the threats against health care information systems in particular are growing. Data breaches, generally described as an impermissible use or disclosure of protected health information, are particularly prevalent. Nearly 90 percent of health care organizations surveyed by the Ponemon Institute (which does independent research on privacy, data protection, and information security policy) suffered a data breach in the past 2 years; meanwhile, 64 percent of organizations reported a successful attack targeting medical files in 2016—a 9 percent increase in just 1 year.1 Multiple causative factors are involved in the uptick in attacks against health care systems, but some reasons cited in that study include low organizational vigilance, inadequate staffing and funding for information technology security, insufficient technology investment, and the underlying value of health care data as compared with data from other industries.”
The authors go on to explain to their audience about how DoS (denial of service) and ransomware attacks work. “Although DoS and ransomware attacks disrupt systems and can significantly impair the ability to deliver efficient care, they do not necessarily expose patient information,” they note. And then they state that, “More worrisome are attacks that result in breaches of protected health information and personally identifiable information,” which can be black-marketed on the Dark Web, or “used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft.”
Now, here’s where the authors break ground in terms of the way in which they articulate a threat that until now has tended mostly only to be whispered about. They write that “The potential for manipulation of clinical systems and clinical data constitutes an additional threat. The effect of such threats on medical devices has been well described. In 2015, the Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert regarding an infusion system that could allow an attacker to remotely control the device and alter therapy administration. In January 2017, the FDA issued a similar warning for St. Jude Medical’s radio-frequency–enabled implantable cardiac devices and transmitters. Fortunately, a software patch could be applied automatically to the affected transmitters,” they note. Further, they write, “Manipulation of patient data could be even more damaging. An attacker with access to a laboratory system could modify data—changing potassium values, for example. Unsuspecting health care providers could react to the falsified potassium values, providing treatment that could harm the patient. Radiology protocols, diagnostic reports, genetic data, progress notes, and electronic prescriptions—the list of possible targets goes on. Protecting our information systems and our health data is critical to ensuring the safe delivery of health care.”
Let’s think about that for a moment—the possibility that some evil or deranged individuals might consciously and purposely decide to manipulate data in order to harm and possibly even kill, patients. At first, such a prospect might sound like the stuff of science fiction or horror novels. But, really? At a time when individuals are engaged in every form of despicable terrorism and other acts of violence and desecration towards their fellow human beings, can we afford to be naïve and believe that something like this couldn’t happen? Because it could.
So the reality is that CIOs, CMIOs, CTOs, lab leaders, pharmacy leaders, and everyone else involved in clinical informatics and IT and clinical leadership in hospitals, medical groups, and health systems, needs to understand that we’ve entered a new phase in the history of the healthcare system in which the unthinkable is possible—and everyone needs to prepare for the unthinkable.
How to do so? There are governance, management, process, and technological aspects of this. To begin with, representatives of all the stakeholder groups involved and potentially involved—IT, clinical informatics, medicine, nursing, pharmacy, laboratory, general administration, and even risk management, legal, and human resources—in hospitals, large medical groups, and health systems, will need to gather around a very big, round table in their patient care organizations, and begin to do scenario planning. They will need to look at what protocols and guardrails they have in place, and will very likely need to bring in IT security consultants in order to map out a plan—and will then need to test out their plan and set in place the protocols and processes to manage an actual attack that manipulates patient data. How will patient care organization leaders even know that such an attack has taken place…? Right now, very, very few organizations would be in a position to know, until after the attackers involved had wreaked tremendous damage.
Sadly—tragically—in our contemporary society, there are bad actors out there who absolutely would be motivated, for whatever reason, or perhaps most chillingly, no reason at all—to try to wreak havoc on patient care organizations in the U.S. and elsewhere. And, given the globalization of technology and our increasing connectivity, the potential for such a doomsday-type of attack is real. I salute authors Gordon, Fairhall, and Landman, for articulating so well the threats facing patient care organizations in the U.S., and beyond, and for prompting patient care leaders to take action—proactively—before the next terrible thing happens to a U.S.—or any—patient care organization.