A Ransomware Epidemic And An Overdue National Health IT Safety Center

---

Wednesday, August 17th, 2016
written by Dean Sittig and Hardeep Singh

A rapid increase in computerization of health care organizations (HCOs) around the world has raised their profile as lucrative targets for cyber-criminals. Recently there has been a spate of high-profile ransomware attacks involving hospitals’ electronic health record (EHR) data.

Briefly, ransomware attacks commonly start when a user is conned into clicking an internet link or opening a malicious email attachment. Malware, or software that is intended to damage or disable the computer, is then downloaded and rapidly encrypts data on that computer and attempts to reach out to other computers on the same network to encrypt data on those computers as well; consequently, all encrypted data is inaccessible. A message is displayed that all files have been encrypted and if the user does not pay the requested ransom within a short period of time, the files will be destroyed. Once the attack has been launched, users have three basic options: 1) try to restore their data from a backup; 2) pay the ransom; or 3) lose their data.

These large scale, malicious events compromise the safety of patient data and remind us of the need for a National Health IT Safety Center, a $5 million Fiscal Year 2017 budgetary request of the Office of the National Coordinator for Health IT (ONC) that we have supported before. In the absence of a centralized investigation and dissemination clearinghouse for these types of events, it is not possible to decipher specific details of what happened, how the problems were resolved, and what other organizations should learn from these events.

Recently, the Texas Medical Association (TMA) introduced a resolution the American Medical Association (AMA) House of Delegates asking that the AMA support the ONC’s efforts to implement a National Health IT Safety Center to minimize safety risks related to use of health information technology (IT). The TMA’s resolution was adopted by the AMA on June 15, 2016 at their annual meeting. The rationale and recommendations within that resolution were built on emerging evidence of deficiencies in EHR-related safety and a concept proposal we previously described. We applaud the AMA for taking a thoughtful and forward-looking position.

An Agenda For The National Health IT Safety Center

While it is unclear what actions AMA will now take to support this effort, we posit that this center should be developed as a public-private partnership that:

• Establishes a nationwide ‘post-marketing’ surveillance system to monitor Health IT-related patient safety events, including those that lead to patient harm and ‘near misses;’
• Develops the methods, governance structure, and coordination framework for the investigation of major Health IT-related safety events;
• Creates the infrastructure, methods, and approaches for random assessments of Health IT safety in large HCOs, following best practice recommendations such as the ONC SAFER guides; and,
• Advocates for Health IT safety with various government (e.g., US Congress, Centers for Medicare and Medicaid Services (CMS), Office of Civil Rights, Department of Defense, and state and local departments of health), and private entities (e.g., EHR vendors, payers, and health care provider organizations).

The ransomware epidemic is a perfect example of the types of problems this center should address.

How The Safety Center Would Help Contain Ransomware

First, the Health IT Safety Center would convene two to three teams of multidisciplinary experts in Health IT, cyber-security, clinical informatics, and patient safety that could visit each of the sites attacked by ransomware. During these site visits, they would interview key stakeholders including IT professionals, clinicians, and administrators, review various systems and their audit logs in an attempt to identify how these attacks started, what sort of encryption algorithms were used, the vulnerabilities targeted, how the attack was handled, and the key lessons learned from their experience.
Based on their findings and existing best practices, these teams would write and disseminate a report with findings and recommendations to stop the threat before it can have a wider impact on patient safety. Rather than find fault, the goal of these reports would be to generate actionable recommendations, and disseminate this knowledge nationally to institutions using EHRs in an attempt to mitigate future problems.

We envision that the safety center would also work on development and dissemination of more proactive strategies for risk reduction. For instance, we recently developed some good clinical practices for ransomware prevention, mitigation, and recovery that were published in a peer-reviewed journal. However, in order for these findings to reach their fullest possible impact, institutional and government leaders and IT staff will need to see and implement them. This is where a safety center could deliver real, tangible value.

What Next In Absence Of The Safety Center?

Like most health IT challenges, the responsibility of preventing, mitigating, and recovering from ransomware is shared between health IT professionals and end-users. While we developed detailed ‘best practice’ recommendations through available literature, in reality, there is no standardized approach nationally to decide how to rapidly develop or share best practices for nearly all emerging health IT safety issues. Often, institutions reinvent the wheel. The advocacy role of the center could coordinate this approach. In its absence, to help HCOs address ransomware threats, we recommend a four-step strategy to prevent against attacks (for full recommendations see Table 1 in published paper).

• Adequate system protection by correctly installing and configuring computers and networks: organizations should maintain up-to-date backups of all data, ensure that key operating and application software is up-to-date, limit users’ ability to install and run software applications, and limit users’ access only to those systems, services, and data required by their job.
• More reliable system defense by implementing user-focused strategies: organizations must provide rigorous training, including use of simulation strategies to ensure that users correctly operate their devices and applications and learn how to recognize legitimate email messages and attachments.
• Comprehensive system monitoring of suspicious activities: organizations should develop a network and user activity monitoring system that conducts surveillance for suspicious activities, such as receipt of email messages from known fraudulent sources.
• Robust response strategy that includes recovery, investigation, and lessons from ransomware attacks: the IT department should disconnect the infected computer(s) from the network and turn off wireless network functionality of the infected machine. If the attack is widespread, the IT department should shut down all network operations (i.e., both wired and wireless), to prevent the malware from spreading. Finally, they should contact their insurance provider, a computer forensics expert, and the FBI’s Internet Crime Complaint Center.

We are at crossroads. We could continue to obfuscate and ignore obvious safety issues, including being easy targets for cyber-criminals, or we could work together to understand safety events, learn from them, identify best practices to prevent them, and work on building a safe and effective health IT infrastructure for our country. Based on recent events, we remain optimistic that leaders with the power to make things happen will heed to the call for a past overdue National Health IT Safety Center.