Perspective Perspective
What is the future of cybersecurity in health care? Ransomware, patient safety, and the protection of physician-patient communications. Bruce Wilder, MD The health care sector was slow to adopt the electronic health record (EHR) as part of its health information technology (HIT) strategy, for several reasons. Unfortunately, caution apparently was not one of them. It was not until shortly after the EHR became widely adopted in the first decade of this century that the, perhaps inevitable, array of new problems began to emerge. New problems and new challenges, some anticipated, and some not, commonly arise after new technologies are introduced. That has been true for centuries. Patient-safety issues related to the EHR are being identified and dealt with, but the struggle is just beginning.1,2 The phenomenon of ransomware is, of course, not unique to HIT and the health care sector. It appears to be increasing, but there a number of ways in which it can be combatted. Ransomware is a computer code that is surreptitiously inserted into computer networks, and has the capacity to make systems ineffectual, and restorable only by payment of ransom, usually on the order of several millions of dollars, depending upon the victims’ ability to pay. The availability of digital currency schemes, such as Bitcoin, a still rapidly-evolving technology,
enables the transfer of funds in a way that protects the identity of the perpetrator (which may be domestic or foreign—both non-governmental and governmentally supported or tolerated). Governments and industry are, however, beginning to find ways to thwart such transfers and identify the criminals that use it. The use of block chain3 technology to store medical record information can protect the availability of such information but at significant potential risk to the privacy of such information, including the protection of physicianpatient confidentiality. Moreover, it, too is an evolving technology and is by no means a ready panacea.4 The use of open-source code in the EHR can improve the potential to detect the presence of malicious code in computer networks, in that “many eyes” can be on the lookout for such code, as opposed to only those of the vendor if the code is secret. But “many eyes” are only effective if they are actually looking. Vendors have a greater incentive to develop protections against hacking, including insertion of ransomware or data-breaching software, if they are not allowed to require “hold harmless” clauses in their contracts with health care entities. Data breaches can occur on many levels
and it is not always easy to determine liability. Nonetheless, institutions and/or vendors can be fined huge amounts for data-breaches, depending upon the circumstances. The use of cloud5-based EHR, a phenomenon that is increasing in popularity, can be of value, especially to smaller entities like group practices that do not have the sophisticated expertise and other resources to maintain protection against malware. The downside is that the cloud is still faced with the challenges of hacking and ransomware. If things go wrong, there may also be troublesome questions of liability. Service contracts with cloud service providers should be carefully scrutinized. The need for powerful encryption of medical information, whether at the point of care, or remotely stored, should go without saying. However, encryption systems are not impenetrable, and need constant updating to maximize their effectiveness. The need for regular back-ups cannot be overemphasized, and health care entities should be constantly improving their backup systems, including maintaining multiple locations, whether in the cloud, on site, Continued on Page 14
ACMS Bulletin / March 2022
13
