On March 28th, 2016 at around 4 pm, physicians and other staff were unable to log in to Medstar Hospital system’s electronic health records (EHRs). It was a very busy Monday and the whole hospital system was essentially taken hostage by loss of electronic availability. More than 10 hospitals were affected. It was a massive challenge to their Information Technology (IT) department, who later identified a ransomware virus attack to their EHR and related electronic medical record (EMR) systems.

Since 2009, varieties of medical data theft have occurred either by stealing a laptop computer or hard drive, or by identifying and stealing a password. However, in recent years, virus attacks have compromised millions of medical records and patients’ personal information. 

A study performed in 2009 indicated that hospital electronic records are not well protected and can be compromised by hackers. The Benchmark Study on Patient Privacy and Data Security showed that “some 94 percent of hospitals have experienced data breaches over the past two years, with medical files, billing, and insurance records.” These cyber-attacks are not restricted to hospitals – hackers have also attacked major insurance companies like Blue Cross and Blue Shield. Athena group reported a data breach in 2011, wherein over 7.8 million customers were compromised. Since then, other insurance companies such as Premera Blue Cross and Excellus Health Plan have reported cyber-attacks with data compromise of over 10 million subscribers. A cyber-attack on Anthem in February of 2015 compromised the data of 78.8 million customers. This attack is considered the biggest data breach in the United States. Hacked data included demographics, Social Security numbers, and even credit card information. 

Patient demographic information in the wrong hands has serious personal and financial consequences. In one instance, a female patient at the medical center was billed for gall bladder surgery even though she never had surgery; her insurance information was hacked from the same hospital and someone else underwent the surgical procedure. 

Information about medical records, patient demographics, and Social Security numbers is extremely valuable, and is sold on the open market for $400-$500. This is financially more rewarding for the seller in comparison with credit card information, which is sold for $5-$10. Attackers sell the information to a counterfeiter who can produce genuine-looking insurance and Social Security cards. 

Manipulation of personal and health information such as allergies, medications, and medical history in the wrong hands can have dire consequences.

Cyber-attacks are not restricted to data stealing, but such attacks can hold the hospital or health-care system hostage. In 2014, Boston Children’s Hospital had a series of cyber-attacks on their website and email system. The attacker, Martin Gottsfield, later revealed his identity and explained his anger about a child custody issue. In an interview with the Huffington Post, he explained that he held doctors and the hospital responsible for wrongly labeling a learning-disabled child as a case of child abuse. 

A southern California hospital, the Hollywood Presbyterian Medical Center, suffered a major cyber-attack that disrupted daily operations. The attackers held the hospital’s systems ransom for 17,000 bitcoins ($4.5 million). This attack crippled most of their services and emergency patients were diverted to other hospitals. Exact details of loss and services have not been made public knowledge, but the hospital did pay the ransom to obtain the key to unlock the system. Although the hospital informed the FBI and police, the attackers have not been apprehended. This attack exposed the vulnerability of hospital systems to cyber-attacks. The information breach and data loss were kept hidden; according to the hospital, no patient information was stolen. A similar attack occurred at Kansas Heart Hospital in May of 2016. Although the hospital paid an undisclosed amount of money, all their services could not be restored. A hospital spokesperson said that they were prepared for such an attack, but could not prevent it.

The Banner Healthcare System, which operates 29 hospitals in Arizona, was attacked via a payment system. It is still unclear how the attackers accessed the health-care data and stole the information of more than 3.7 million patients. Breaches in payment systems are common at retail stores, but this was first case of a health-care system attack. James Trainer, an FBI expert, pointed out that in 2015, hospitals paid around $26 million to hackers, and that number is likely to rise. 

Who are Hackers?

Hackers can range from disgruntled employees, such as hospital workers or IT personnel, to patients and their families. Simple hacks are possible by stealing passwords or sending a virus through the hospital’s email system. Social media sites, such as Facebook, Instagram, and Twitter, can also infect a computer. In addition, pornography sites are notorious for infecting computers. In one instance, attackers dropped a virus-laden zip drive strategically at nursing stations. Once connected, the computer virus was able to infect the computer, giving the hacker full access to the system. Major breaches, however, are usually done by outsiders looking for financial gain. These attackers are extremely sophisticated and capable of immense harm, as evidenced by the Hollywood Presbyterian Hospital attack.

Virus Types

Nearly all adware and malware are capable of infecting, but are easily detected and usually cannot pass through computer security. Trojan horse, ransomware, and keylogger have been commonly used by Hackers. The ransomware attack on Hollywood Presbyterian was identified as the “locky” virus, which targets specific files. This virus reveals a screen demanding money and locks the entire system. A new strain of virus is “crysis,” which can target all the files on a computer and is one of the most dangerous ransomware types. After reaching the computer, it stays dormant until woken up by a specific command. It can then take over administrative functions, including accessing all passwords used on the system. The attacker can then steal information or demand ransom. Most cyber-attacks in 2015 were identified as ransomware attacks.

Are Medical Devices Vulnerable?

Data breaches have been described for FitBits, televisions and sound systems, and even in the new thermostats. Any device with a digital print can be attacked, which includes IV pumps, insulin pumps, pacemakers, and anesthesia machines. Hacking of these devices is not widespread, but a frightening possibility nonetheless. IT experts believe that these attacks not only target the hospitals for financial gains, but that there is definite risk of medical data alteration. In addition, a hacker can change medical orders in all areas like the pharmacy, blood bank, laboratory, and surgery.

Risks

The IDC insight group predicts that 1in 3 health-care recipients will be a victim of a data breach in 2016. To date, 89% of health-care organizations have had a data breach and 79% have reported multiple attacks. Most compromised data are medical records, billing, and insurance information. The IDC insight group estimates the average cost of a data breach to be $2.2 million.

Office-based EMR

Hackers have been successful in attacking office EMRs because they are even less protected than hospital records. Most offices lack a dedicated IT team and employees have a tendency to use the computer for surfing the internet, logging into social media, and personal emails. Such activities make these computers easy prey. Several doctors’ offices have reported attacks; the biggest, however, was on the Connecticut Podiatry Group. More than 40,000 records were compromised. A cyber-attack on a small medical office can be financially devastating.

Who Is Responsible in the Event of a Cyber-Attack?

Maintaining patient information is the responsibility of the custodian, as described under Health Insurance Portability and Accountability Act (HIPAA) regulations. Failing to protect this information is a serious offense in the eyes of the government. Several hospitals and pharmacies have been fined, including CVS pharmacy, who paid $2.29 million in 2009. Recently, the University of Massachusetts Amherst settled a HIPAA violation at $650,000. The HHS Office for Civil Rights extracted a total of $25.6 million in settlement payments between October 1, 2015, and September 30, 2016 – more than triple the previous annual record of $7.9 million set in fiscal year 2014.In case of a cyber-attack, it is the custodian’s responsibility to inform law-enforcement agencies and insurance companies as well as Medicare and Medicaid divisions. The law requires the custodian to inform all patients in detail. 

What is the Future?

Bernie Monegain predicts in IT Healthcare News that in 2017, health care will be the biggest target for cyber-invasion because of the lack of appropriate safety measures. As malware and ransomware get more sophisticated, more attacks are expected. Experts in health-care IT advise custodians to have updated security measures, knowledge of ransomware, and contingency plans to deal with such attacks.

My hospital and office introduced EHR and EMR systems in 2009, and I was concerned about the attacks because of lock down of my office system when an employee downloaded a picture from the internet. We had to revert to paper for 2 entire days. Although it was a simple adware, it took 48 hours to fix the system. We had to place a new security system that blocked access to social media sites. Employees were advised to change their passwords frequently and not to surf the web. During the meeting, I raised concerns about cyber-security, but the hospital administrators were so excited about the EHR, they completely ignored my concerns. The system has locked down a few times since then. As usual, these lockdowns were not reported. IT personnel at the hospital told me that lockdowns were related to adware and that the IT department could fix the issues.

Even now, I have noticed open medical records in the radiology, emergency room, and surgery areas. I found a physician on hospital computers playing video games and streaming music. It is a common habit of physicians to log in and leave the computer unattended to visit a patient’s room or leave a logged-in laptop in a patient’s room to answer a phone call. Such habits make these computers vulnerable to virus intrusion and ultimately to a cyber-attack. Although nurses and ancillary staff are more careful about logging out of a session, physicians are notoriously careless about leaving their log-in unattended.

Conclusion

In this digital world, cyber-attacks and data breaches are occurring frequently. JP Morgan Bank, the United States Navy, and the Democratic National Committee, to name a few, have all reported cyber-attacks with loss of information and money. As these institutions are taking measures to secure their servers, hackers have identified weaknesses in EHR and EMR systems. Medical institutions are becoming easy targets. These institutions and even small offices need to become more careful in using their computers. It is important to have a contingency plan and back-up servers to reestablish services in case of an attack. It is also necessary to have multiple layers of security and continued education of users by the IT department.  

Editor’s Note

Manuscript submitted December 27, 2016, final version accepted January 19, 2017.

Disclosure: The authors have completed and returned the ICMJE Form for Disclosure of Potential Conflicts of Interest. The authors report no conflicts of interest regarding the content herein.

Address for correspondence: Dr Vinay Kumar, Endovascular Options, Vascular Surgery, 1016 Gardenia Street, Carrollton, TX 75007. Email: jksaab52@outlook.com