Surgery just got a little more complicated. Bloodless, hard to identify and difficult to trace, this latest risk has doctors and hospital administrators in emergency mode to keep the threat from escalating and compromising electronic medical records.
The digital high alert reached a peak earlier this month when ransomware prompted administrators at a southern California Hospital to release $17,000 in bitcoins in return for the decryption key that would enable them to regain access to their computer systems.
Until those demands were met and electronic operations were restored, communications at Hollywood Presbyterian Medical Center had been reduced to fax machines, phone calls and pencil and paper.
Patients reported long delays in receiving care some were directed an hour's drive away for lab tests — while doctors attempted to access digital medical records. Fortunately no one died, but the dangerous situation was further punctuated when reports surfaced in Germany, where digital extortionists had brought Lukas Hospital to its paperless knees after a malicious email attachment was apparently opened by a mistaken staffer.
Renée-Marie Stephano, President of the Medical Tourism Association, said ransomware should raise a red flag to the potential dangers of cyberattacks in the medical tourism community, which has warmly embraced information technology to gather and transfer valuable patient records from centralized data management platforms to diagnostic scans and discharge summaries.
We are entering a frightening realm of healthcare in which, perhaps, one click on an unknown link can wreak havoc on an entire medical community, she said. Healthcare providers, if they have not already done so, should be asking if they have invested enough to protect personnel and patients, medical devices and clinical information from hackers.
What forms of cyber and data security and recovery plans are in place and what training strategies are underway to raise awareness and educate about potential disruptions from phishing scams?
Stephano said information technology has helped to manage the complexity of healthcare, enabling providers to oversee patient care more efficiently and across multiple facilities, time, and conditions.
Phishing for Answers
To a smaller, yet more increasing degree, medical tourism is adapting electronic solutions to improve efficiency, influence consumer conversion-rates, and enhance overall patient experiences, said Anuja Agrawal, CEO of Health Flights Solutions, which provides compliant and secure patient management systems to medical tourism operatives.
If ransomware can attack a hospital, medical tourism can also be subject to similar threats in much the same way any industry is now at risk, she said. Hospitals, facilitators, governments and even self-insured employers want to be safe and confident that the data management technologies they have in place can continue to drive medical tourism opportunities without putting their human and capital resources at risk to unauthorized and malicious access.
Hollywood Presbyterian did not say exactly when administrators caved into the hackers, but damage had been reported to CT scans, lab work, and radiation and oncology protocols. Rather than pay the ransom, Lukas Hospital in Neuss, North Rhine-Westphalia shut down its system and began scrubbing for malware.
The hospital is up and running with the exception of a few email systems. German hospitals are subject to fines of up to 100,000 euros if they fail to meet minimum information security standards passed last year.
Despite these recent high-profile hacking events, Stephano said most hospital data breaches are the result or human error. However, she said citing a study of healthcare organizations — the frequency of cyberattacks had steadily risen by 125 percent in the last five years; the most common threats include spear phishing or fraudulent email schemes and malware attacks.
