When an EHR is hacked by Russians

When an EHR is hacked by Russians

Image credit: Shutterstock.com

Hippocrates didn’t have a server. (computer server)

In 2012 our practice invested $300,000 into building computer infrastructure and the purchase of a brand-spanking-new electronic health record, commonly referred to as an EHR. The mandate for this purchase was brought forth from the federal government with the intent to improve overall health care communication.

Since this expenditure, terms like image server, ethernet, firewall, hyperlink, backup server, IP address, fax queue, cache server, LAN, domain server, internet, intranet, and terminal emulation have been introduced into our practice’s lexicon.

None of these terms were even so much as mentioned to me in medical school lectures. They are now so interwoven into contemporary medicine that they will likely never go away. In the words of the 1990s character Forrest Gump, medicine and computers are like “peas and carrots.” ( Millennials, stream this movie tonight on Netflix.)

Computing technology — billed as an inevitable overall benefit to health care — remains a common barrier between physicians and their patients. Our practice has worked hard to be current and has even noticed some of the benefits of the electronic health record at times. E-scribing, easier communication with other doctors via fax and independence from a single paper chart are just a few of the improvements to our practice and, ultimately, our patients.

I would have agreed that despite the many glitches, the overall communication had improved perhaps slightly with the EHR – that is until last Monday.

Any positives experienced over the past seven years of EHR at NEO Urology Associates were instantly negated this past week. Monday morning our practice screeched to a complete halt at the hands of a foreign hacker from Russia who demanded $85,000 ransom from our practice in Boardman, Ohio, United States of America. The hacker’s leverage for cash was our precious patient files.

For over 45 years, our practice has cared for patient files as we would our own children. We nourished these charts by providing our medical opinions. We left notes about the passing of a spouse of a tearful patient, messages to ourselves to remind us to ask about a new grandchild to be born before the next visit, as well as trails of “breadcrumbs” for us and other health care providers to follow our care path for over 10,000 unique patients.

Our Russian “comrade” commandeered all of this information in seconds encrypting the data rendering all files unreadable. Our office was then unable to function at even the most primitive level for three painful days.

During The Hack our entire practice could not send or receive faxes, call patients, receive phone calls from hospitals or even access patient files on our EHR. Three hundred fifty-plus patients visits were canceled without us being able to inform them that their appointments were canceled. So much for improved communication! We might have found greater success placing paper cups to our ears with a string to connect them to reach out to our patients.

What happened on rare occasions was also, however, remarkable. Rarely, patients just decided to walk into our office. My staff and I greeted them and asked them how we could help them. We didn’t look up labs, referral letters, or other information on the computer because we couldn’t. What resulted was a very pleasant interaction where we listened to their concerns and alleviated his or her issue. It is nearly impossible for me to think all of this occurred without WiFi, a network login, or even a single laptop. I didn’t feel any less of a doctor, and I would argue that my communication with these patients was overall improved.

I am no Luddite. I appreciate computing technology and enjoy its benefits for my life. My children have iPads. I recently was given an Apple Watch for Father’s Day that I feel might already improve my life at times. Despite this, I, like most doctors, believe that computers are often a major barrier to patient care (read this article by Dr. Atul Gawande). Patients complain of doctors who bury their faces into computer monitors during medical visits. Doctors complain about snail-paced servers bogging down the efficiency of their day.

Electronic health records are reliably unreliable, causing recurrent delays throughout nearly every workweek. It is not unheard of in our practice for systems to slow or temporarily shut down on multiple occasions during a crowded office. In a job that has its own built-in stress, the added stress of stuttering technology is unwelcome, to say the least.

Our IT company (we have an IT company ) rescued our data and we are now running at around 85 percent speed. They hope to have us at full speed within the next few weeks. Our software vendor is dragging their feet and charging a $7,500 fee to reconfigure our relationship with them after this incident. The FBI and local law enforcement admit that since they were called after our data was recovered that they stand little chance of catching our Siberian scoundrel. A specialized technology company in Florida who our IT firm hired walked away the overall winner having earned $75,000 for a half day’s work. This cash was paid by our IT company’s insurance company to obtain our data forcibly.

A career in medicine is innately filled with stressful situations. As doctors, we encounter complex decisions one after another, where the implications of those decisions will change the course of another person’s life. Doctors have faced stress and have dealt with these stresses in their own ways for centuries. However, the contemporary physician is asked to deal with these stressful situations in addition to an equal amount of “non-medical” issues throughout the day. The introduction to information technology has added yet another complex blanket of stress that encompasses physicians.

There will arguably be a time when computers can and will make communication substantially better and more reliable in the medical world. Until this time, however, our generation is assigned the role of technology guinea pigs.

We have a choice to either complain about this, or we can learn to adapt, make the most of what we can, and innovate to make it better for the generation that follows us. A doctor’s purpose is to help to ease the suffering of his or her patients. Unfortunately, at the current time, to do so, doctors are themselves destined to suffer at the whim of little, electronic boxes.

Take home

Learn to use EHRs in expert fashion. Since technology is unreliable, control the one variable that you can. Develop skills that will enable you to chart efficiently and masterfully so that you increase your percent time spent with patients and decrease time with charting. Accept that medical technology is as much a part of your life as a doctor as it is the rest of your life. Also, if you have a knack for technology, become the agent of change by innovating.

Daniel Ricchiuti is a urologist who blogs at the Doctor Crisis.

Source: When an EHR is hacked by Russians

Data Breaches Cost $654 Billion in 2018

Data Breaches Cost $654 Billion in 2018

Cybercriminals exposed 2.8 billion consumer data records in 2018, costing more than $654 billion to U.S. organizations.
Data from ForgeRock found that cyberattacks to U.S. financial services organizations cost the industry more than $6.2 billion in Q1 2019 alone, up from just $8 million in Q1 2018. Even though investments in information security products and services have been on the rise, with $114 billion invested in 2018, cybercriminals continue to attack organizations across a wide spectrum of industries to gain access to valuable consumer data.According to the research, personally identifiable information (PII) was the most targeted data for breaches in 2018, comprising 97 percent of all breaches. By targeting PII, cybercriminals prove that they’re hungry for consumer data and the research also found the most frequent attack method was from unauthorized access, encompassing 34 percent of all attacks. Healthcare, financial services and government were the sectors most largely impacted by cyberattacks.

“It’s clear from our research findings that consumer data is valuable and highly sought after by cybercriminals as well as very difficult for organizations to protect,” said Eve Maler, VP of Innovation and Emerging Technology of ForgeRock. “Organizations can protect consumer data by implementing a strong customer identity management program. Every industry has incentives to avoid brand damage and costly breaches, and so organizations must use modern techniques of identity and access management to secure their infrastructure, from servers in the data center to client applications and smart devices at the edge.”

The report also found:

  • Almost half (48 percent) of all consumer data breaches happened in the healthcare sector, four times as many in any other sector.
  • Financial services and government were the second and third most victimized industries, collectively comprising 20 percent of all breaches.
  • Although the number of breach incidents in financial services was down 20 percent in Q1 2019, compared to Q1 2018, more than 26.9 million consumer records were compromised in the Q1 2019 breaches alone, which is a 78,900 percent increase over Q1 2018.
  • Date of birth and/or Social Security Numbers were the most frequently compromised type of PII in 2018, with 54 percent of breaches exposing this data.
  • Name and physical address (49 percent) and personal health information (46 percent) were the second and third most commonly compromised type of PII in 2018.

Source: Data Breaches Cost $654 Billion in 2018