SBMI Blog Articles
Wednesday, August 17th, 2016
written by Dean Sittig and Hardeep Singh
A rapid increase in computerization of health care organizations (HCOs) around the world has raised their profile as lucrative targets for cyber-criminals. Recently there has been a spate of high-profile ransomware attacks involving hospitals’ electronic health record (EHR) data.
Briefly, ransomware attacks commonly start when a user is conned into clicking an internet link or opening a malicious email attachment. Malware, or software that is intended to damage or disable the computer, is then downloaded and rapidly encrypts data on that computer and attempts to reach out to other computers on the same network to encrypt data on those computers as well; consequently, all encrypted data is inaccessible. A message is displayed that all files have been encrypted and if the user does not pay the requested ransom within a short period of time, the files will be destroyed. Once the attack has been launched, users have three basic options: 1) try to restore their data from a backup; 2) pay the ransom; or 3) lose their data.
These large scale, malicious events compromise the safety of patient data and remind us of the need for a National Health IT Safety Center, a $5 million Fiscal Year 2017 budgetary request of the Office of the National Coordinator for Health IT (ONC) that we have supported before. In the absence of a centralized investigation and dissemination clearinghouse for these types of events, it is not possible to decipher specific details of what happened, how the problems were resolved, and what other organizations should learn from these events.
Recently, the Texas Medical Association (TMA) introduced a resolution the American Medical Association (AMA) House of Delegates asking that the AMA support the ONC’s efforts to implement a National Health IT Safety Center to minimize safety risks related to use of health information technology (IT). The TMA’s resolution was adopted by the AMA on June 15, 2016 at their annual meeting. The rationale and recommendations within that resolution were built on emerging evidence of deficiencies in EHR-related safety and a concept proposal we previously described. We applaud the AMA for taking a thoughtful and forward-looking position.
An Agenda For The National Health IT Safety Center
While it is unclear what actions AMA will now take to support this effort, we posit that this center should be developed as a public-private partnership that:
The ransomware epidemic is a perfect example of the types of problems this center should address.
How The Safety Center Would Help Contain Ransomware
First, the Health IT Safety Center would convene two to three teams of multidisciplinary experts in Health IT, cyber-security, clinical informatics, and patient safety that could visit each of the sites attacked by ransomware. During these site visits, they would interview key stakeholders including IT professionals, clinicians, and administrators, review various systems and their audit logs in an attempt to identify how these attacks started, what sort of encryption algorithms were used, the vulnerabilities targeted, how the attack was handled, and the key lessons learned from their experience.
Based on their findings and existing best practices, these teams would write and disseminate a report with findings and recommendations to stop the threat before it can have a wider impact on patient safety. Rather than find fault, the goal of these reports would be to generate actionable recommendations, and disseminate this knowledge nationally to institutions using EHRs in an attempt to mitigate future problems.
We envision that the safety center would also work on development and dissemination of more proactive strategies for risk reduction. For instance, we recently developed some good clinical practices for ransomware prevention, mitigation, and recovery that were published in a peer-reviewed journal. However, in order for these findings to reach their fullest possible impact, institutional and government leaders and IT staff will need to see and implement them. This is where a safety center could deliver real, tangible value.
What Next In Absence Of The Safety Center?
Like most health IT challenges, the responsibility of preventing, mitigating, and recovering from ransomware is shared between health IT professionals and end-users. While we developed detailed ‘best practice’ recommendations through available literature, in reality, there is no standardized approach nationally to decide how to rapidly develop or share best practices for nearly all emerging health IT safety issues. Often, institutions reinvent the wheel. The advocacy role of the center could coordinate this approach. In its absence, to help HCOs address ransomware threats, we recommend a four-step strategy to prevent against attacks (for full recommendations see Table 1 in published paper).
We are at crossroads. We could continue to obfuscate and ignore obvious safety issues, including being easy targets for cyber-criminals, or we could work together to understand safety events, learn from them, identify best practices to prevent them, and work on building a safe and effective health IT infrastructure for our country. Based on recent events, we remain optimistic that leaders with the power to make things happen will heed to the call for a past overdue National Health IT Safety Center.
Dean F. Sittig, PhD, is a professor at UTHealth School of Biomedical Informatics (SBMI). He currently serves on the American Medical Informatics Association board of directors and is a member of the UT-Memorial Hermann Center for Healthcare Quality & Safety. Additionally, Sittig is the lead investigator of the clinical summarization project within the Office of the National Coordinator’s Strategic Health IT Advanced Research Project at SBMI and the ONC funded SAFER: Safety Assurance Factors for EHR Resilience.