This article appeared last week:
Threats to Information Security — Public Health Implications
July 12, 2017DOI: 10.1056/NEJMp1707212
In health care, information security has classically been regarded as an administrative nuisance, a regulatory hurdle, or a simple privacy matter. But the recent “WannaCry” and “Petya” ransomware attacks have wreaked havoc by disabling organizations worldwide, including parts of England’s National Health Service (NHS) and the Heritage Valley Health System in Pennsylvania. These events are just two examples of a wave of cyberattacks forcing a new conversation about health care information security. With the delivery of health care increasingly dependent on information systems, disruptions to these systems result in disruptions in clinical care that can harm patients. Health care information security has emerged as a public health challenge.
Threats to information security plague many industries, but the threats against health care information systems in particular are growing. Data breaches, generally described as an impermissible use or disclosure of protected health information, are particularly prevalent. Nearly 90% of health care organizations surveyed by the Ponemon Institute (which does independent research on privacy, data protection, and information security policy) suffered a data breach in the past 2 years; meanwhile, 64% of organizations reported a successful attack targeting medical files in 2016 — a 9% increase in just 1 year.1 Multiple causative factors are involved in the uptick in attacks against health care systems, but some reasons cited in that study include low organizational vigilance, inadequate staffing and funding for information technology security, insufficient technology investment, and the underlying value of health care data as compared with data from other industries.
Attackers use a variety of techniques against health care organizations. Denial of service (DoS) attacks, aimed at disrupting and disabling systems by overwhelming them with large volumes of network traffic, have targeted health care facilities.2 Such attacks can render clinical systems unusable, with negative effects on core hospital operations, such as delays in surgical procedures, lab-result reporting, and bed management. More recently, attacks against health care organizations have taken the form of ransomware. In these attacks, an information system — for example, a database containing patient information — is encrypted in such a way that only the attacker has the “key” to unlock the data. Hospitals are faced with poor options: pay the attacker, usually anonymously in online cryptocurrencies such as Bitcoin, or rely on older backups that may not contain the most recent clinical information; even an organization that backs up every system daily could lose critical data if forced to restore from a backup. The May 2017 WannaCry attack that affected the NHS is an example. Other recent examples include an attack on the Hollywood (California) Presbyterian Medical Center that resulted in the payment of $17,000 to hackers and one on MedStar Health, which caused a temporary but large-scale computer shutdown in its network of hospitals. Payment doesn’t guarantee access to encrypted data — though the ransom price could be worth the risk depending on the severity of potential data loss. More than 50% of hospitals have reported at least one ransomware attack in the past year.3
Although DoS and ransomware attacks disrupt systems and can significantly impair the ability to deliver efficient care, they do not necessarily expose patient information. More worrisome are attacks that result in breaches of protected health information and personally identifiable information. Such information is valuable to attackers for two main reasons. First, it has direct monetary value: attackers can sell these data in anonymous online forums that are part of what’s sometimes referred to as “the dark web.” For example, in June 2016, a hacker posted on the “Real Deal” dark-web marketplace offering for sale more than 600,000 medical records from three different systems, one of which was an entire electronic health record, including screen shots.4 Medical records can be used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft.
The full article is found at the link below and is not behind a fire-wall:
This is a useful contribution as it warns clinicians that as the levels of IT reliance rises we need to be much more careful and be much better educated regarding risks to our systems and data.
Well worth a careful browse.
David.
With me as a consumer now being conscripted into the MyHR and with organisations being coaxed into participating, will the Digital Health Agency be funding educational programs on security and privacy? Will they fund and operate a national program to ensure all end points are up to date security wise to ensure the collective is protected?
ReplyDeleteOut of interest does this optout and integration to the MyHR now make end points part of the national infrastructure? If so should I be expecting an IRAP assessor to be knocking on my door?
ADHA is between a rock and a hard place. If they use the full scope of information hidden away on their web pages and in the legislation, to educate and inform the Australian population, patients will see MyHR for what it is; how much time and effort they must invest into attempting (and probably failing) to keep their record up-to-date; who can see their information; how little control they have over who can see their information etc etc.
ReplyDeleteIf they don't, and they continue their approach of misinforming the population about the system, then I'm sure there will be quite a few people speaking up and telling it like it is.