From the largest healthcare companies to individual practices, all medical organizations face the risk of costly cyberattacks. In recent years, hackers have threatened to release the personal information of patients and employees – or cripple online systems – unless they receive a ransom.
Do businesses have to pay? It’s not an easy answer, two experts told colleagues during an American Medical Association (AMA) cybersecurity webinar on Oct. 18. It turns out that every choice – to pay or not to pay – can end up being costly.
This is just one of the new cybersecurity challenges facing the U.S. medical system, speakers said. Others include the possibility of hackers manipulating patient data – for example making a medical test negative when it is actually positive – and taking advantage of the powers of artificial intelligence (AI).
The AMA hosted this webinar to educate physicians about cybersecurity risks and defenses, an especially hot topic following last spring’s Change Healthcare hack, which cost UnitedHealth Group approximately $2.5 billion – until now – and has profoundly disrupted the American healthcare system.
Cautionary tales abound. Greg Garcia, executive director for cybersecurity at the Health Sector Coordinating Council, a coalition of medical industry organizations, pointed to a Pennsylvania clinic that refused to pay a ransom to prevent the release of hundreds of images of patients with breast cancer undressed from the waist up. Garcia told webinar attendees that the ransom was $5 million.
Risky choices
Although the Federal Bureau of Investigation advises against paying a ransom, it can be a risky choice, Garcia said. The hackers published the images and the center reportedly agreed to settle class action lawsuit for $65 million. “They traded $5 million for $60 million,” Garcia said, slightly misrepresenting the settlement amount.
Health systems are questioning whether they paid ransoms to prevent private data from being made public during cyberattacks. If a ransom is demanded, “it’s every man for himself,” Garcia said.
He highlighted the case of a chain of psychiatric practices in Finland which suffered a ransomware attack in 2020. The hackers “contacted patients and said, ‘Hey, call your clinic and tell them to pay the ransom.’ Otherwise, we will make all of your psychiatric notes public.
Cyberattacks continue. Earlier this month, doctors at Boston Children’s Health announced they underwent a ” recent security incident» involving data – possibly including social security numbers and treatment information – about patients and employees. A group of hackers would have claimed responsibility and wants the system, which has more than 300 clinicians, to pay a ransom or disclose the stolen information.
Should paying a ransom be a crime?
Christian Dameff, MD, MS, emergency physician and director of the Center for Healthcare Cybersecurity at UC San Diego, noted that efforts are being made to make paying a ransom a crime. “If people don’t pay ransom, ransomware operators will turn to something else that will make them money.”
Dameff urged his colleagues to understand that we no longer live in a world where clinicians only think about technology when they call the IT department to help them reset their password.
New challenges face clinicians, he said.
“How can we develop better strategies, downtime procedures, and safe clinical care in a time when our life-saving technology can disappear, not just for an hour or two, but as is the case with these attacks of ransomware, sometimes weeks or even months.
Garcia said “cybersecurity is everyone’s responsibility, including frontline clinicians. Because you’re touching data, you’re touching technology, you’re touching patients, and all of those things combine to present certain vulnerabilities in the digital world.
Next frontier: Hackers can manipulate patient data
Dameff said future hackers could use AI to manipulate individual patient data in ways that threaten patient health. AI makes this easier to achieve, he said.
“What if I delete your allergies from your electronic health record, or manipulate your chest X-ray, or change your lab values to make it look like you are in diabetic ketoacidosis when you’re not, a clinician gives it to you insulin when you don’t need it?
Garcia highlighted another new threat: phishing efforts that are harder to ignore thanks to AI.
“One of the most effective ways for hackers to gain entry, disrupt systems and steal data is through email phishing, and this will only get better with artificial intelligence,” he said. he declared. “You will no longer have typos in this email written by a group of hackers in Nigeria or China. It’s going to be perfect.
What can health practices and systems do? Garcia highlighted the federal health agency’s efforts to encourage organizations to adopt cybersecurity best practices.
“If you are the victim of a data breach and can demonstrate to the U.S. Department of Health and Human Services (HHS) that you have implemented generally accepted cybersecurity controls within the past year, that you did your best, that you did the right thing. , and you still got hit, HHS’s job is basically to take it easy on you,” he said. “It’s a positive incentive.”
Guide to ransomware in the works
Dameff said the Center for Healthcare Cybersecurity at UC San Diego plans to release a free cybersecurity guide next year that will include specific information on ransomware attacks for medical specialties such as cardiology, trauma surgery and pediatrics.
“So, if you ever get redeemed, you can pull out this guide. You will know what is going to happen and you will be able to better prepare for these effects.
Will the future president prioritize healthcare cybersecurity? It remains to be seen, but crises do have the capacity to focus minds, experts say.
The nation’s capital “has a very short memory and limited attention span. Policymakers tend to be reactive,” Dameff said.
“All it takes is one new Change Healthcare attack that disrupts 30% or more of the nation’s healthcare system for policymakers to sit up, take notice and try to find solutions. »
Additionally, he said, two data breaches/ransomware attacks are estimated to occur every day. “The fact is we are all patients, all the way up to the President of the United States and every member of Congress is a patient.”
There is a “very existential, very palpable understanding that cybersecurity is patient safety and cyber insecurity is patient insecurity,” Dameff said.
Randy Dotinga is a freelance writer and board member of the Association of Health Care Journalists.