Guest post by Edgar Wilson.
The start of 2017 provided America’s health system with some global-scale schadenfreude when England’s NHS got caught up in a massive cyber attack. The “WannaCry” ransomware attack, which quickly spread across Europe from an epicenter in Ukraine, seemed to prove beyond any reasonable doubt that American EHRs and health data management systems were not unique in their vulnerability to hackers and thieves leveraging new digital weapons.
In time, this particular attack did manage to spread internationally from Europe over to America, but that only provided further evidence that ransomware, and cyber attacks more broadly, are a threat of seemingly unlimited potential. The failings of American healthcare to get its data safely organized look far less damning when the scale of cyber risk is made explicitly global, and even the NSA is caught off-guard by their own tools being turned into weapons in enemy hands.
Not Alone, but Not Ahead
Of course, that American hospitals weren’t the primary targets for once doesn’t remotely get them off the hook; nor does the jarring impact of this particular incident reflect a growing resilience among health data security in the U.S. American health data may not be alone in its vulnerability or attractiveness to thieves, but neither are our health systems leading the pack in protecting against ransomware, or any other form of cyber attack. Sadly, this wakeup call seems more likely to be heard outside of healthcare than within it; the scale makes it almost universally noteworthy, but otherwise it resembles a new status quo for data leaks in modern health systems.
Credit card data is relatively to protect; thieves are easily and quickly locked out of accounts, if not caught, thanks to everything from increased scrutiny by lenders and processing companies as well as consumer-facing transparency and 24/7 account monitoring via mobile credit card alerts and apps. Health data, by contrast, remains largely vulnerable. Clinics are not particularly good at recognizing fraud when thieves have a person’s medical data; hospitals have proven themselves no better at keeping that data secure in the first place. So compared to traditional identity theft leveraging plastic, digital health data presents a softer and more lucrative target end to end.