This article appears in the August issue of Patient Safety Monitor.
Virtual attacks can physically harm patients
In the TV show Mr. Robot, there’s a scene where the main character hacks his hospital’s computer system to change his drug test results from positive to negative. Naturally, doing such a thing in real life isn’t as easy as the show makes it out to be. But it does touch upon a real problem in today’s healthcare system: Computer crimes can have real-world effects.
In the course of just one weekend in May, more than 300,000 computers in 150 countries were held hostage by a ransomware virus called “WannaCry.” The virus locked down computer systems and forced hospitals, corporations, universities, and individuals to pay $300 apiece in Bitcoin to regain access to their files.
One of the most notable victims of WannaCry was the United Kingdom’s National Health Service (NHS). About one-fifth of NHS trusts (which oversee British hospitals) were affected, forcing them to reroute ambulances, postpone surgeries, and cancel appointments. And any cyberattack opens the possibility that patient data could have been stolen or altered, although WannaCry doesn’t appear to have done so.
While American hospitals were mostly unaffected by this particular attack, there has been a worrying jump in successful ransomware attacks in the U.S. Healthcare organizations (HCO) are prime targets for other types of malware and computer viruses, too, because they are relatively easy targets and have the resources to pay off hackers.
Once on an HCO’s computer or electronic health record (EHR) system, viruses give hackers dangerous amounts of access to private patient data. In the case of ransomware, they can lock down files and stall services. Other types of malware can steal or even change patient information.
That said, many people still seem unable to see how a virtual attack can physically affect patients. Mitch Work, MPA, FHIMSS, president and CEO of The Work Group, Inc., says a lot of HCOs make the mistake of thinking the biggest risk of a cyberattack is a Health Insurance Portability and Accountability Act (HIPAA) fine.
“I think that HCOs have a growing awareness of cybersecurity threats but need to be better educated about them and how to prevent them,” Work says. “Cybersecurity can have a major impact on patient safety. If hackers are able to access patient records and information, they will conceivably have the capability to change and manipulate patient data, which could have disastrous consequences. Think of [someone] changing medications, patient vital signs, or even diagnoses. Moreover, breaches in security can undermine the community’s confidence in an HCO, damaging the HCO’s reputation.”
Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says robust cybersecurity is a must-have for all hospitals and that it begins with knowing the problem.
“For me, the lack of knowledge [about cybersecurity] may be the biggest issue,” says Ruelas. “For example, the cybersecurity community often never knows about a threat until organizations are successfully attacked. As a result, cybersecurity experts are often dealing with the aftermath while those writing these malware programs are constantly developing new threats. It goes back to the old model of how it is impossible for policies, often based on information, [to] keep up with technology because technology is often far ahead in not only developing new ways of doing something, but also developing information in the process.”
Ransomware is a new twist on the old crime of hostage taking. The virus locks down all of your computer files so you can’t access them, then a screen appears telling you that you have a certain number of days to pay the hacker in untraceable currency. Pay and you (probably) get all of your files back. Refuse and your computer remains locked and your files, documents, photos, and videos are lost forever.
Ransomware sealing away someone’s family photos is bad enough, but it reaches a new level when hospitals are affected. Losing access to medical records and computer systems while treating patients can be devastating.
Ruelas notes that, depending on the type of ransomware, a hacker can also download and view copies of the infected system’s records. For a hospital, those records include:
- Medical records
• Patient histories
• Insurance information
• Credit card numbers
• Social Security numbers
• Dates of birth, phone numbers, addresses, etc.
The sheer volume of valuable information is one of the reasons why 88% of ransomware attacks are targeted at hospitals. But there are ways to prevent ransomware hackers from viewing your files, even if they infect your system with a virus.