Guest post by Edgar Wilson.
The start of 2017 provided America’s health system with some global-scale schadenfreude when England’s NHS got caught up in a massive cyber attack. The “WannaCry” ransomware attack, which quickly spread across Europe from an epicenter in Ukraine, seemed to prove beyond any reasonable doubt that American EHRs and health data management systems were not unique in their vulnerability to hackers and thieves leveraging new digital weapons.
In time, this particular attack did manage to spread internationally from Europe over to America, but that only provided further evidence that ransomware, and cyber attacks more broadly, are a threat of seemingly unlimited potential. The failings of American healthcare to get its data safely organized look far less damning when the scale of cyber risk is made explicitly global, and even the NSA is caught off-guard by their own tools being turned into weapons in enemy hands.
Not Alone, but Not Ahead
Of course, that American hospitals weren’t the primary targets for once doesn’t remotely get them off the hook; nor does the jarring impact of this particular incident reflect a growing resilience among health data security in the U.S. American health data may not be alone in its vulnerability or attractiveness to thieves, but neither are our health systems leading the pack in protecting against ransomware, or any other form of cyber attack. Sadly, this wakeup call seems more likely to be heard outside of healthcare than within it; the scale makes it almost universally noteworthy, but otherwise it resembles a new status quo for data leaks in modern health systems.
Credit card data is relatively to protect; thieves are easily and quickly locked out of accounts, if not caught, thanks to everything from increased scrutiny by lenders and processing companies as well as consumer-facing transparency and 24/7 account monitoring via mobile credit card alerts and apps. Health data, by contrast, remains largely vulnerable. Clinics are not particularly good at recognizing fraud when thieves have a person’s medical data; hospitals have proven themselves no better at keeping that data secure in the first place. So compared to traditional identity theft leveraging plastic, digital health data presents a softer and more lucrative target end to end.
Accountability Hot Potato
Progress on preventing health data breaches may be hamstrung by an attitude of inevitability.
Consider the evolution of autonomous vehicles as a security concern. In almost every instance where the practicality and potential of driverless cars come up, so too does the possibility that increasingly automated and computerized self-driving cars will themselves become attractive targets to hackers. The popular scenario posits that robot cars won’t be hacked in the interest of identity theft or fraud, but for the sheer terrorist-anarchist thrill of causing collisions, accidents, and general roadway turmoil at scale. Like climbing Mt. Everest, cybercriminals will be hijacking our cars simply “because they are there” to be hacked into.
For many, the fact that this new technology represents a new potential risk is reason enough to forestall its adoption or retreat altogether. Likewise, that paper charts and analog patient records cannot be “hacked” or held for ransom like their digital counterparts is all some critics need as an excuse to revert back. It is a classic case where progress without perfection is seen as more dangerous than refusing to change.
Likewise, the notion of shared accountability is often less attractive than finger-pointing. Data transparency and portability of the sort often sought by patients puts no small amount of responsibility squarely on their shoulders to ensure access is controlled responsibly and security preserved. Admins who are going to require their clinics to get on board with new reporting and data entry standards, similarly, should have some skin in the game when it comes to owning failures and security breakdowns as they occur. And of course, providers and users, who seem to get the most facetime with EHRs and the health data contained therein, have an outsized ability to let the odd phishing email or mobile device turn into a gateway for malicious third parties.
That any one party has some responsibility for security does not absolve everyone else from remaining vigilant in their own realms.
So Much for Schadenfreude
For once, a ransomware attack made headlines around the world and our health system didn’t come away with egg on its face. This doesn’t particularly serve the arguments of EHR advocates nor critics. It does, however, provide ample opportunity for some reflection on just how deeply connected the health system now is to the rest of the world — and its challenges. Healthcare has not historically been a leader in change or adaptation; perhaps the phenomenon of ransomware will help the health industry find better partners to learn, confront, and mitigate security challenges. Better yet, perhaps it will help dispel the notion that healthcare must always be treated as a unique case when it comes to technology, operations, leadership, or stakeholders.
In the wake of a ransomware attack with global reach, the future of healthcare has never looked more closely associated with that of the rest of industry and technology.