Clear tactics, but few easy solutions, for hospitals combating ransomware

September 19, 2017

PROVIDENCE, R.I. [Brown University] -- Especially cruel hackers know that lives are on the line when they hold a hospital's computer systems hostage, as they did in the May 12 attack dubbed WannaCry, which locked down many overseas hospitals with the demand for a ransom. In a new article in the Annals of Internal Medicine, three medical and legal experts delineate the many steps hospitals can take to prevent and respond to attacks, but note that some strategies won't be easy to accomplish and that full security is likely impossible to ensure.

"Patients can suffer severe negative health effects if their treatment is delayed, discontinued or performed incorrectly because hospital records are unavailable," the authors wrote in the essay titled "Your Money or Your Patient's Life: Ransomware and Electronic Health Records."

The authors are Dr. Eli Adashi, professor of medical science and former dean of medicine and biological sciences at Brown University; I. Glenn Cohen, professor of law at Harvard University; and Sharona Hoffman, professor of law and bioethics at Case Western Reserve University.

"There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access," Cohen said. "To some extent, these attacks are inevitable."

The authors cite research that counted nearly 2,000 hospital data breaches of varying kinds between 2009 and 2016. In that last year, a ransomware attack hit a hospital system in the Baltimore area, forcing workers to rely on paper records.

In their new paper, the authors list several steps -- some simple and others more complex -- that hospitals can take to prevent or at least mitigate attacks and to ensure that they are in compliance with the Health Insurance Portability and Accountability Act, which requires holders of health records to keep them secure. Some of the more straightforward tactical recommendations include workforce training, retaining cybersecurity expertise, patching operating systems and reporting attacks promptly to authorities.

But they also recommend more strategic, nationwide steps, even though those may be harder to accomplish.

Adashi noted that the U.S. government's response in the wake of WannaCry was fragmented among many agencies, although just the day before President Donald Trump had issued a sweeping executive order instructing federal agencies to embark on a number of actions to ensure greater cybersecurity. Building on that to develop a cohesive government response pertaining to health care infrastructure, he said, could provide all hospitals with common, well-informed guidelines.

"We need a coordinated national effort," he said. "This will take time."

Cohen said another key step could be for the Joint Commission, which accredits hospitals, to make cybersecurity requirements a high priority in renewing accreditation.

And hospitals should consider committing to a principle of "non-payment" of ransoms to hackers, the authors proposed, akin to the US government policy of not paying ransoms to terrorists. Adashi said all of these steps, but especially that one, should be implemented only after considerable public discussion.

After all, with lives on the line, Cohen acknowledged, pressure could quickly build to abandon an abstract policy, especially if it didn't have buy-in from patients.

"If I were a hospital CEO, it's one thing to make this pledge ex ante, but it's another thing when you have a population of patients who need health care to stick by it," he said.
-end-


Brown University

Related Health Care Articles from Brightsurf:

Study evaluates new World Health Organization Labor Care Guide for maternity care providers
The World Health Organization developed the new Labor Care Guide to support clinicians in providing good quality, women-centered care during labor and childbirth.

Six ways primary care "medical homes" are lowering health care spending
New analysis of 394 U.S. primary care practices identifies the aspects of care delivery that are associated with lower health care spending and lower utilization of emergency care and hospital admissions.

Modifiable health risks linked to more than $730 billion in US health care costs
Modifiable health risks, such as obesity, high blood pressure, and smoking, were linked to over $730 billion in health care spending in the US in 2016, according to a study published in The Lancet Public Health.

Spending on primary care vs. other US health care expenditures
National health care survey data were used to assess the amount of money spent on primary care relative to other areas of health care spending in the US from 2002 to 2016.

MU Health Care neurologist publishes guidance related to COVID-19 and stroke care
A University of Missouri Health Care neurologist has published more than 40 new recommendations for evaluating and treating stroke patients based on international research examining the link between stroke and novel coronavirus (COVID-19).

Large federal program aimed at providing better health care underfunds primary care
Despite a mandate to help patients make better-informed health care decisions, a ten-year research program established under the Affordable Care Act has funded a relatively small number of studies that examine primary care, the setting where the majority of patients in the US receive treatment.

International medical graduates care for Medicare patients with greater health care needs
A study by a Massachusetts General Hospital research team indicates that internal medicine physicians who are graduates of medical schools outside the US care for Medicare patients with more complex medical needs than those cared for by graduates of American medical schools.

The Lancet Global Health: Improved access to care not sufficient to improve health, as epidemic of poor quality care revealed
Of the 8.6 million deaths from conditions treatable by health care, poor-quality care is responsible for an estimated 5 million deaths per year -- more than deaths due to insufficient access to care (3.6 million) .

Under Affordable Care Act, Americans have had more preventive care for heart health
By reducing out-of-pocket costs for preventive treatment, the Affordable Care Act appears to have encouraged more people to have health screenings related to their cardiovascular health.

High-deductible health care plans curb both cost and usage, including preventive care
A team of researchers based at IUPUI has conducted the first systematic review of studies examining the relationship between high-deductible health care plans and the use of health care services.

Read More: Health Care News and Health Care Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.