Computer systems at Hollywood Presbyterian Medical Center were under attack for 10 days in February as hackers haggled with hospital administrators over the ransom price for ending the electronic siege. The Los Angeles-based medical center eventually agreed to pay the hackers, in bitcoin currency, a $17,000 ransom—significantly less than the original $3.6 million asking price—to remove the “ransomware.”
Allen Stefanek, CEO of Hollywood Presbyterian, told a local NBC affiliate that although the hospital’s IT systems had been under attack, “Patient privacy has not been compromised,” according to a report by the International Business Times.
Cyber-attacks similar to the one on Hollywood Presbyterian are becoming a growing problem for health care providers large and small. Ransomware is used by hackers to invade a medical facility’s systems, shutting down many important hospital functions and making it difficult or impossible to properly operate some medical services. System shutdowns often pose some danger to patient care, as important medical records stored solely in a medical facility’s electronic database suddenly become inaccessible.
The attack on Hollywood Presbyterian isn’t the first of its kind, but rather an example of a growing and disturbing trend. According to a report by The Hill, one particular “strain” of ransomware called CryptoWall “is responsible for $325 million in damages.”
In addition to the initial damage caused by cyber-attacks, there is the risk that records could be stolen and eventually sold on the black market for a hefty sum, causing even greater financial costs down the road for patients who have to deal with the effects of identity theft. In a December 2014 cyber-attack on Clay County Hospital, a small, 18-bed hospital in Illinois, more than 12,000 records were stolen. One study by the Office for Civil Rights at the Department of Health and Human Services (HHS) reports more than 41 million medical records have been taken in more than 1,100 data breaches since September 2009.
The failure on the part of various health care providers to adequately secure patients’ records and to prevent IT system shutdowns raises serious questions about the wisdom of the Obama-backed Health Information Technology for Economic and Clinical Health Act, which was passed in 2009 and enhanced by provisions in the Affordable Care Act. The law requires all medical providers to digitize medical records, which HHS says will “reduce paperwork and administrative burdens, cut costs, reduce medical errors and most importantly, improve the quality of care.”
Not only have tens of millions of patient records been stolen since the law was passed, some reports indicate the electronic health records (EHR) mandate has failed to reduce costs. Watchdog.org reports a survey by Medical Economics found, “More than 70 percent of large practices, 66 percent of internal medicine specialists, and 60 percent of family practice physicians would not purchase their current EHR system again if they could do it over. Sixty-seven percent do not like the functionality of their systems, and more than 50 percent say the EHRs are too expensive. A majority of respondents reported financial losses related to EHRs, and 69 percent said that coordination of care with hospitals hasn’t improved.”
EHR systems may provide great benefits for many large health care providers who can afford to implement and maintain security systems to protect patients’ information and IT systems, but for many small providers, such as Clay County Hospital, the risks and costs of EHR systems are likely not worth the potential benefits.
Government agencies should not force health care providers unwilling or incapable of protecting their patients’ private information to adopt EHR systems. Governments should instead work to improve law enforcement agencies’ ability to track down hackers who hold health care systems, as well as any other IT system, for ransom.