Your Money or Your Patient’s Life? Ransomware and Electronic Health Records image

Annals of Internal Medicine, September 19, 2017
By I. Glenn Cohen (Faculty Director), Sharona Hoffman, and Eli Y. Adashi


Read the Full Article

The mugger's demand “Your money or your life” is a familiar one. However, in an era of vast hospital computer networks and electronic health records, a novel risk to worry about is, “Your money or your patient's life.” This threat, known as “ransomware,” is an increasingly common experience for computer users around the world. The relevance of this hazard to health care became widely apparent on 12 May 2017 after a global attack effected by ransomware named WannaCry. Among those most severely affected were hospitals, pharmacies, and clinics of the British National Health Service. On these shores, President Trump issued an executive order requiring all government agencies to provide a risk management report to the Department of Homeland Security and the Office of Management and Budget within 90 days.

Ransomware is a malicious software (malware) that denies users access to their data unless they pay a ransom. Typically, hackers encrypt data and promise a decryption key in exchange for a ransom. Health care data are especially vulnerable given the imperative of acute care interventions. According to the Department of Health and Human Services, close to 2000 hospital data breaches were reported between 2009 and 2016. A 2016 attack on MedStar Health, a hospital system with a workforce of 30 000 that treats hundreds of thousands of patients in the Baltimore-Washington metropolitan area, is emblematic of the threat. When physicians and nurses tried to access patient records, a pop-up window informed them that they would need to pay $19 000 in bitcoins (a hard-to-trace Internet currency) for a decryption key if operations were to resume. At that point, caregivers could no longer edit patient records or access e-mail or computer records and thus had to rely on paper records which, they worried, were “missing vital pieces of patient information: complete medical histories, every drug prescribed, allergies to medicine and treatment plans.” The attack also delayed reporting of laboratory test results, prompting MedStar Health to divert ambulances to other facilities and to cancel scheduled patient appointments.


What should be done to counter this emerging threat? No fail-safe solutions exist, and there are tradeoffs between data security and data access that are essential to patient care. The most promising approach is for companies such as Microsoft to identify vulnerabilities in their operating systems and issue patches (which must be promptly installed) to prevent their exploitation. However, patches can themselves be problematic because they can be incompatible with existing software and must therefore be adequately tested. Other safeguards can be implemented by health care providers; we offer several strategies for prevention and response [...].

Read the full article here

health care finance health information technology health law policy i. glenn cohen medical safety regulation