As the SARS-CoV-2 pandemic spread over the last year, health care institutions became increasingly vulnerable to another kind of dangerous viral attack—this time, at the hands of cybercriminals.
During the 2021 virtual Critical Care Congress of the Society of Critical Care Medicine, a panel of physicians urged attendees to take steps to protect their hospitals’ cybersecurity systems, pointing out that the health care sector is now the most targeted industry by ransomware in the United States.
These attacks can significantly affect patient care, harm patients and providers and carry an enormous price tag. Medical data breaches alone cost the health care industry more than $5.6 billion annually.
“Hacking in health care is a major problem, with estimated millions of records being breached every year in the U.S. alone,” said L. Nelson Sanchez-Pinto, MD, MBI, a specialist in pediatric critical care medicine and informatics at Ann & Robert H. Lurie Children’s Hospital of Chicago.
Last fall, federal agencies issued a warning that cybercriminals were targeting U.S. health care institutions. The wave of ongoing attacks was designed to lock up hospital health information systems as COVID-19 cases were spiking. Cybersecurity firm Check Point reported that ransomware attacks against American hospitals rose 71% from September to October 2020.
Cyberattacks on health systems come in three forms—phishing, malware and medical data breaches—said Dr. Sanchez-Pinto, who moderated the panel. Phishing attacks are the most common; they arrive disguised as legitimate-appearing emails that trick the recipient into opening a link or document with malware or into providing personal information.
Malware is software that users inadvertently download onto their devices, which infects the system with a virus. Malware can take control of a computer until a user pays a sum of money, a version known as ransomware; or it silently spies on a computer, sends data or gives access to a hacker.
Medical data breaches have become more frequent in recent years; hackers steal medical records and sell them on the dark web. They can fetch up to $1,000 per patient because of the breadth of information in medical records. Information contained in these files can be used for fraud or identity theft, as well as blackmail or extortion. Provider data can also be accessed and used for fraudulent insurance claims or prescription drug fraud.
Dr. Sanchez-Pinto said physicians and their colleagues must create a culture focused on cybersecurity, although it means some tasks require more time.
“Taking extra security steps online can be annoying because it can seem like they are slowing our workflow, but we owe it to our patients to be safe with their data because it’s extremely vulnerable,” he said.
On April 9, 2017, the Level I trauma center at the University of Buffalo was hit by a variant of ransomware named SamSam. The attack shut down the hospital’s health care IT system, including all electronic clinical applications, billing and scheduling services, and communication tools. The hospital decided not to pay the ransom and turned to old-fashioned paper charts and face-to-face communication for two months while the IT system was restored.
In that time, staff lost access to the electronic medical record (EMR), the picture-archiving and communication system, even the internet.
Physicians could access patients’ historical data, including medical records and imaging, through HealtheLink, an electronic clinical information exchange among hospitals in Western New York. Otherwise, patient information was communicated only in writing, by phone and in person.
W. Alan Guo, MD, an acute care surgeon and a surgical intensivist at the University of Buffalo, said trainees struggled with the abrupt switch to a paper-based system as they came to medicine in the era of the EMR.
In a study published in 2018, Dr. Guo and his colleagues reported that residents were stressed by the lack of online resources in the aftermath of the attack (J Surg Res 2018;232:389-397). Some surgical residents said they had less hands-on experience in the OR because limited imaging made cases more difficult.
He urged hospitals to treat ransomware attacks like other disasters and prepare for them as part of disaster planning. Training in paper-based documentation should be included as part of hospital in-service and the graduate medical education curriculum, he said.
“Everything is digital now. So, younger generations need to learn about paper-based documentation in case something happens, because the cyberattack rate is getting higher and higher in this world,” Dr. Guo said.
During the pandemic, health systems have become more dependent on smart devices and telemedicine. This reliance makes hospitals more vulnerable to major attacks, according to Piyush Mathur, MD, a critical care physician at Cleveland Clinic in Cleveland, who chairs its Anesthesiology Institute compliance committee.
“We need to understand that despite telemedicine providing access to a lot of different patient care areas, it has vulnerabilities and we need to be prepared for that,” he said.
Telemedicine systems rely on a network of products that are built in one country, used in another and perhaps serviced in yet another. These systems can be accessed by a global network of people working at multiple points in the chain, including human resources programs, audiovisual intersections and even IV pumps at the bedside.
“These, across the entire nation, are all vulnerable to attack,” Dr. Mathur said.
—Christina Frangou
This article is from the September 2021 print issue.