Despite what “Grey’s Anatomy” gets wrong about medicine, HIPAA, interpersonal relationships, and, well, everything else, they do get some things right. The show recently aired a two episode arc about cybersecurity and ransomware, and it was dramatic. Patient charts were unavailable. Necessary blood and medicine were inaccessible behind keypad-locked doors. Lives hung in the balance as doctors operated without monitors and nurses tried to remember who was given what medicine when. The FBI was called in.
It was a perfectly orchestrated, panicky circus.
While the drama may not have played out the way it would in a realistic, functioning hospital, the fundamental issue hit close to home. Technology is a gift, and facilities are increasingly relying on monitors and electronic records to deliver care. There is nothing wrong with utilizing technology to improve a sector as necessary as healthcare, but the potential weaknesses of electronic data and monitoring may compromise the entire system.
Telehealth carries with it the promise of improved plan adherence, increased access to healthcare in rural areas, and a greater analytic power for population health trends and solutions. Big data promises the ability to make community health models a functioning reality, and personalized health plans implemented through applications stand to change the future of public health. Already, 75 percent of practitioners believe that technology is facilitating the delivery of better care, and we’ve just begun.
For rural communities and underserved populations, this trend is especially optimistic. By increasing the number of patients a provider can reach in a period of time, as well as making patient records more accessible to specialists and cooperative care networks, the move to electronic health records and telemedicine means that previously isolated individuals will have access to a greater range of providers. In conjunction with increased access to patient information, nurses are seeing new legislation come into play that allows them to treat patients across state lines without obtaining a new license, allowing the scope of rural providers to be more flexible.
Furthermore, as patients are prescribed treatment plans requiring everything from medication adherence to a diet and exercise change, health and fitness applications can assist in data collection and reporting back to providers. Check-ins can be arranged or triggered by a large divergence from the plan, potentially increasing the effectiveness of a doctor’s orders.
Unfortunately, the benefits don’t come without consequence. Digital records and electronic prescriptions and plans are vulnerable to theft and manipulation in the same way that any online information is, and healthcare technology that runs outdated programs can put patients in life-threatening danger. Insurance companies almost exclusively require electronic claims at this point, requiring facilities to submit health records and sensitive patient data through potentially weak channels in order to be reimbursed for care.
Hackers with the right set of abilities, tools, and malicious intent can disrupt day-to-day medical functions by locking practitioners out of patient records, freezing access to drugs, or interrupting service to monitors that help keep patient vitals under control. As it is, many hospitals run old software or don’t take the time to install updates because the interruption in patient monitoring creates needlessly hazardous care conditions. The trade off, though, is that if ransomware were to infect the system, patient care would be interrupted without warning — potentially indefinitely.
Beyond losing monitoring capabilities or access to health records, the emergence of e-prescriptions or remote check ups introduces another factor to be considered: manipulation of data. While it’s unlikely to be utilized in a large scale attack, the manipulation of prescriptions or falsification of drug records could result in a patient being given toxic doses or combinations of drugs. The ability to get prescriptions filled without setting foot in a doctor’s office is attractive, until the order is manipulated en route to the pharmacy, and the patient walks out with an entirely different dosage than intended.
Rural areas that stand to benefit the most from remote care also appear to be more vulnerable to cyberattacks. Without the same financial capital that their metropolitan counterparts have, rural medical centers are more likely to be using old equipment or software simply because they can’t afford to upgrade. There’s not enough cash flow to make state of the art equipment worth it.
In order to keep patient information safe and sound, the health industry has a lot of work to do. Beyond just securing electronic health records, best practices will need cooperation from app developers, software companies, insurance providers, and health sector employees.
First, cloud-based and hard drive storage will need to be secured to keep information safe. Software must be kept up to date while prioritizing patient care; cycling equipment in and out of use for update does not interrupt treatment. Data transmission channels in between various medical facilities and to and from insurance providers must be secured and have limited access available. Data transmission needs to be protected through encryption, and the ability to send the information to the wrong source needs to be minimized.
Medical facilities, even small clinics, need to up their internal security by maintaining proper HIPAA standards, implementing multi-factor authentication systems, and following principles of least privilege when determining how much clearance an employee should receive. Additionally, employees need to be trained in best practices to avoid phishing attempts and minimize the risk of compromising patient data.
Software updates and staff training come with a serious price tag. When allocating funds, budget committees are pressured to put money into revenue-generating projects. Security in general is not often updated unless an incident showcases weakness or a mandate is released by a higher power. In the case of ransomware and patient data, putting money into upping security is a “just in case” move that isn’t often prioritized, especially when hospitals only get fairly reimbursed for 85 percent of care or end up writing off charges when patients can’t pay.
At the end of the episode, Grey’s Anatomy didn’t pay to have the patient records release, nor did they allow the FBI to track down the nefarious hackers and exact justice upon them. Rather, an administrator found she had an equally gifted hacker among her employees and chose to fight fire with fire.
Obviously, the dramatic conclusion to a television series’ portrayal of a real-life scenario is not common or realistic. Medical facilities will need to be much better prepared and will face far greater consequences in the event of a ransomware attack or the compromise of patient information. In order to truly reap the benefits that big data and telehealth stand to bestow on the healthcare community, players must work together to protect data and increase security against potential data breaches.