6 minute read
Perspective
by TEAM
Perspective Perspective
What is the future of cybersecurity in health care? Ransomware, patient safety, and the protection of physician-patient communications.
Advertisement
BRuCe WilDeR, mD
The health care sector was slow to adopt the electronic health record (EHR) as part of its health information technology (HIT) strategy, for several reasons. Unfortunately, caution apparently was not one of them. It was not until shortly after the EHR became widely adopted in the first decade of this century that the, perhaps inevitable, array of new problems began to emerge. New problems and new challenges, some anticipated, and some not, commonly arise after new technologies are introduced. That has been true for centuries.
Patient-safety issues related to the EHR are being identified and dealt with, but the struggle is just beginning.1,2
The phenomenon of ransomware is, of course, not unique to HIT and the health care sector. It appears to be increasing, but there a number of ways in which it can be combatted. Ransomware is a computer code that is surreptitiously inserted into computer networks, and has the capacity to make systems ineffectual, and restorable only by payment of ransom, usually on the order of several millions of dollars, depending upon the victims’ ability to pay. The availability of digital currency schemes, such as Bitcoin, a still rapidly-evolving technology, enables the transfer of funds in a way that protects the identity of the perpetrator (which may be domestic or foreign—both non-governmental and governmentally supported or tolerated). Governments and industry are, however, beginning to find ways to thwart such transfers and identify the criminals that use it.
The use of block chain3 technology to store medical record information can protect the availability of such information but at significant potential risk to the privacy of such information, including the protection of physicianpatient confidentiality. Moreover, it, too is an evolving technology and is by no means a ready panacea.4
The use of open-source code in the EHR can improve the potential to detect the presence of malicious code in computer networks, in that “many eyes” can be on the lookout for such code, as opposed to only those of the vendor if the code is secret. But “many eyes” are only effective if they are actually looking. Vendors have a greater incentive to develop protections against hacking, including insertion of ransomware or data-breaching software, if they are not allowed to require “hold harmless” clauses in their contracts with health care entities. Data breaches can occur on many levels and it is not always easy to determine liability. Nonetheless, institutions and/or vendors can be fined huge amounts for data-breaches, depending upon the circumstances.
The use of cloud5-based EHR, a phenomenon that is increasing in popularity, can be of value, especially to smaller entities like group practices that do not have the sophisticated expertise and other resources to maintain protection against malware. The downside is that the cloud is still faced with the challenges of hacking and ransomware. If things go wrong, there may also be troublesome questions of liability. Service contracts with cloud service providers should be carefully scrutinized.
The need for powerful encryption of medical information, whether at the point of care, or remotely stored, should go without saying. However, encryption systems are not impenetrable, and need constant updating to maximize their effectiveness.
The need for regular back-ups cannot be overemphasized, and health care entities should be constantly improving their backup systems, including maintaining multiple locations, whether in the cloud, on site,
Continued on Page 14
From Page 13 or siloed in private remote locations. Obviously, there are significant cost considerations, but they need to be weighed against the potential costs of fines for data breaches or ransom demands. Regular, isolated backups without concurrently searching for malware may provide a false sense of security if the possibility of “time bombs” or other “logic bombs”6 is not considered. In other words, malware may exert its effects long after it has been inserted, and long after monthsold pre-hacking backups have been deleted to save storage space.
Finally, the Achilles heel of nearly all protection systems are the users themselves, who must necessarily have access to health care information at the point of care, and in claims processing (the latter being, at least in theory, arguably not necessary). That means ongoing training of users in prevention against hacking, and the development of methods for prevention of sabotage by, say, a disgruntled authorized user.
As I am putting the final touches on this article, we are beginning to see the cyber fall-out of the Russian invasion of Ukraine. Not surprisingly concerted efforts to hack the Russian economic infrastructure have already begun, and it remains to be seen how effective (and devastating) cyberwarfare by either side will be in the coming months. Certainly, though, we will have entered into a new era of international conflict and there is much uncertainty as to how much this will affect us in the years to come, including in the area of health care.7,8
The upside is that we may learn – painful as the process may be – a great deal about how to make our health care systems more secure in the process.
An important step toward strengthening cybersecurity is the recent passage of S.3600, Strengthening American Cybersecurity Act of 2022 (also known as the Federal Information Security Act of 2022), currently under consideration in the House. That legislation, if enacted, would require critical infrastructure (including healthcare and public health) entities to report “substantial cyber incidents” to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and to report ransomware payments within 24 hours.9
I believe that, ultimately, we will learn how to manage the new problems that have arisen with the introduction of HIT, but it will take hard work and a rearranging of priorities to reach the point where we are able to reap its benefits without sacrificing the basic underpinnings of a safe and effective infrastructure for the delivery of health care.
References:
1. Blease C, et al. Sharing Clinical Notes:
Potential medical-legal benefits and risks,
JAMA 2022;327(8):717-718.
2. Sittig D, et al. Guidelines for US Hospital and Clinicians on Assessment of Electronic
Heath Record Safety Using SAFER Guides,
JAMA 2022;327(8):719-720.
3. Block chain is a relatively new technology that has the potential to protect the integrity of encrypted data. See https://en.wikipedia. org/wiki/Blockchain 4. Afraz N, Is blockchain a friend or foe in ransomware attacks?, https://www. siliconrepublic.com/enterprise/blockchaincybersecurity-nima-afraz
5. Although the term “cloud” suggests some remote, ephemeral location of data and software, its infrastructure is really physically identifiable so-called data and server farms very much located on this earth.
6. A logic bomb is code that triggers the execution of other code when certain conditions are met. It may have a legitimate or illegitimate purpose. Here, I refer to its illegitimate purpose of triggering malware capable of corrupting or deleting data or legitimate programs, stealing sensitive date, or siphoning off funds, and that may be dormant until certain conditions are met. A time bomb is basically a sub-category of logic bomb that does so at a given date and time. See https://en.wikipedia.org/wiki/
Logic_bomb for further details
7. Henderson J, Watch Out for Cyberattacks
Following Russia’s Invasion of Ukraine, 2/25/22, https://www.medpagetoday.com/ special-reports/exclusives/97385
8. Gerstell G, America Isn’t Ready for the
Cyberattacks That Are Coming, 3/5/22,
New York Times, https://www.nytimes. com/2022/03/04/opinion/ive-dealt-withforeign-cyberattacks-america-isnt-ready-forwhats-coming.html
9. Jercich K, Senate mandates cyberattack reporting to CISA, 3/9/22, Healthcare
IT News, https://www.healthcareitnews. com/news/senate-mandates-cyberattackreporting-cisa
