Dr Irv Loh, a SERMO Cardiologist, shares his thoughts on medical data security in light of the recent security breech at Hollywood Presbyterian Hospital in Los Angeles. In August 2015, we polled over 1,800 physicians to better understand how confident they are with their patient’s data security. Almost 3/4 (73%) of physicians polled said they were at best somewhat (or not at all) confident in their patient’s data security. Only 6% were extremely and 22% very confident in the medical data security. If you’re a physician, log into SERMO to join the conversation.
Last week, it was announced that Hollywood Presbyterian Hospital in Los Angeles had its healthcare IT system essentially taken over and knocked offline by some hackers who inserted malware into the hospital servers during the first week of February. The data were not destroyed, but encrypted, and a ransom of $3.4 million (in Bitcoin to enhance their anonymity) was demanded to provide the hospital with the decryption key. In order to function in the interim, the 434 bed hospital had to revert to pen, paper and fax communication. All essential functions dependent on electronic information technology ground to a halt…which if you reflect on your own modern facility, means just about everything. No records, EMRs (which may not be a bad thing), emails, labs, CT scans, outpatient activities, surgeries. Nada.
One associates ransoms with kidnapping or taking of hostages. Whereas governments can say (officially) that they don’t negotiate with terrorists, in this scenario, we are now talking about patient lives. Right now. The hospital folded; it coughed up some money (a small percentage of the original ask) to get their system back. Now the FBI is involved.
But this dramatic demonstration of healthcare IT vulnerability will undoubtedly sent shockwaves through the industry. Hospitals, insurers, healthcare data repositories have been attacked many time before with denial of service or phishing attacks. Accessing patient data such as the UCLA hospital and Anthem insurance attacks reported last year and the associated privacy data compromise identity and the concomitant fraud potential. Insertion of false data could really muck up the system as well if physicians made logical decisions from incorrect information. It makes HIPAA look pretty benign since the hackers did not have to break into the data box to steal information, they just built a bigger box to contain the hospital’s box with a lock and key that only they had. And the lives at stake and the cost analysis made capitulation the reasonable option to minimize turmoil and panic. For now.
There is a scramble to find the best vendors to defend against these kinds of attacks, but that will take time. All of these healthcare IT systems will put on a brave face and assure their clients that they have the best firewalls and experts, but this reminds me of the scene from Jaws when confronted with an opponent of unanticipated ferocity, Brody says to Quint, “you’re gonna need a bigger boat”.
Our profession, not just hospitals, needs to see this as a shot across the bow. Yes, our defenses will get better, but so will the hackers. We currently don’t know who they were, but if you could imagine the skills available on the dark web being harnessed, not to destroy, but to restrict access, what that would mean. The range of cyberterrorists run from tech savvy kids in a bedroom to nation-states. We are now facing the adversarial era when our systems and the hackers will be analogous to the perpetual war between bacteria and antibiotics. Extortion in its purist form.
Gear up…it’s going to be a wild ride.
Dr. Irving Kent Loh MD, FACC, FAHA (Epidemiology & Prevention), FCCP, FACP is a board certified internist and sub-specialty board certified cardiac specialist with an emphasis on preventive cardiology. He founded and directs the Ventura Heart Institute, which conducts education, research and preventive cardiovascular programs. Dr. Loh is a former Assistant Professor of Medicine at UCLA School of Medicine. He is Chief Medical Officer and Co-founder of Infermedica, an artificial intelligence company for enhancing clinical decision support for patients and healthcare providers.