Electronic health records at hospitals across the country have become attractive to cybercriminals looking for relatively easy and lucrative targets.
These criminals use so-called “ransomware” to encrypt files and then hold them hostage to extract payouts for the return of the data.
They may be preying on hospitals because cyberprotection measures likely have not kept pace with electronic data collection and because hospitals typically do not have backup systems and databases in place, even though such attacks can strain health care systems and potentially put patients' lives at risk.
There are several potential reasons for hospitals' current cybervulnerability.
Many hospitals might lack the financial resources necessary to invest in cybersecurity or to mitigate the effects of a successful attack. In addition, most hospital leaders probably have not, until recently, considered hospitals to be high-priority targets for cybercriminals.
The Health Information Technology for Economic and Clinical Health Act of 2009 also subsidized and incentivized rapid adoption of electronic health records throughout America's health care system, possibly pushing providers and vendors too far and too fast to allow careful consideration of the security implications.
Hospitals and health care organizations of all sizes have struggled with the poor usability and interoperability of these new electronic records systems. Based on the recent string of ransomware attacks, it appears that the security of these new electronic systems is significantly underdeveloped—from both the technological and human perspectives.
Electronic health records are more than just data repositories. They are conduits for many types of medical information, including test results, messages between clinicians, scheduling systems and medical orders (such as prescription medications and medical procedures).
Hospitals frequently emphasize quick access to data, order entry capabilities and electronic medical devices, which may lead to increased cybervulnerability if adequate authentication and authorization security measures are not in place.
In a hospital setting, instituting complicated passwords or multiple levels of authentication that can enhance security is unlikely to be straightforward, especially when quick access could improve patient outcomes during urgent or emergency treatment.
Hospital leaders should consider how their organizations will respond when—not if—they are attacked.
When forced to deal with a ransomware attack, many hospitals could face serious challenges switching to non-electronic systems like pen and paper, especially if the locked-out electronic health record system has been in place long enough for hospital personnel to become deeply dependent on it.
Even temporary reliance on paper records could compromise patient care if workers are not familiar with older, paper-based procedures.
Unless a hospital has planned for an electronic health records lockout and rehearsed how it will respond, the transition back to paper or another electronic system (or more likely, a patchwork of disconnected and out-of-date systems) could endanger patient health.
When critical clinical services cannot be re-established in a timely fashion, some patients might need to evacuate the facility, and new patients might need to be redirected to unaffected hospitals.
Transferring patients to other facilities may be especially challenging for large, integrated health care systems that rely on a single electronic health record, which, if suddenly unavailable, could compromise care in all of the system's hospitals simultaneously and broadly reduce the local or regional health system capacity overall. There is likely to be a role for public health authorities in planning for such events.
What can be done to protect hospitals and patients? Truly impenetrable security is unattainable, but hospitals can reduce their attractiveness to cybercriminals relative to other potentially lucrative targets.
As the saying goes, to escape a bear you don't have to outrun the bear, you just have to run faster than the bear's other targets. By adopting stronger cybersecurity measures, hospitals can cause cybercriminals to seek payouts elsewhere, in industries with weaker security.
To repair the chinks in their cyber-armor, hospitals could make it harder for would-be criminals to take advantage of weaknesses.
Potential cybersecurity solutions include multifactor authentication; encryption (in transit and at rest); implementing backup systems and regular patching and update cycles; and physically separating or “air-gapping” critical parts of the network, which can help limit the spread of malware or ransomware attacks.
In addition, hospitals should put in place backup systems for disaster recovery and resilience, so that if one data system becomes unavailable, another can be used. Hospitals should also consider training employees in how to deal with phishing scams and secure computers that may be physically accessible to the public.
To regularly assess preparedness for electronic health record lockouts, mock drills should be conducted, much like those that hospitals use to train for mass-casualty events. Hospital administrators also should establish relationships with industry and government cyberexperts who have the most up-to-date knowledge, to learn how to reduce the risks of electronic data theft and how to respond once compromise occurs.
Lillian Ablon is a cybersecurity and emerging technologies researcher. Mark W. Friedberg is a senior natural scientist at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on Newsweek on April 9, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.