The cyberattack on MedStar Health – one of the biggest health-care systems in the Washington region – is a foreboding sign that an industry racing to digitize patient records and services faces a new kind of security threat that it is ill-prepared to handle, security experts and hospital officials say.
For years, hospitals and the health-care industry have focused on keeping patient data from falling into the wrong hands. But the recent attacks on MedStar’s network and other hospitals across the country highlight an even more frightening downside of security breaches: As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
Hospitals are used to chasing the latest medical innovations, but they are rapidly learning that caring for sick people also means protecting medical records and technology systems from hackers. An industry that has traditionally spent a small fraction of its budget on cyberdefense is finding that it also must teach doctors and nurses not to click on suspicious online links and shore up its technical systems against hackers armed with an ever-evolving set of tools.
In some ways, health care is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, lifesaving work. Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2 to 3 percent, said John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston.
“If you’re a hacker . . . would you go to Fidelity or an underfunded hospital?” Halamka said. “You’re going to go where the money is and the safe is easiest to open.”
The stakes are extraordinarily high. Hospitals’ electronic systems are often in place to help prevent errors. Without computer systems, pharmacists cannot easily review patients’ lab results, look up what other medications the patients are on or figure out what allergies they might have before dispensing medications. And nurses administering drugs cannot scan the medicines and the patients’ wristbands as a last check that they are giving the correct treatments. When lab results exist only on a piece of paper in a patient’s file, it is possible they could be accidentally removed by a busy doctor or nurse – and critical information could simply disappear.
In MedStar’s case, a virus early this week infiltrated its computer systems, forcing the health-care giant to shut down its entire network, turn away patients, postpone surgeries and resort to paper records.
“One thing I think is becoming clear, especially over the last few weeks or months, is that health care is rapidly becoming a target for this,” said Daniel Nigrin, chief information officer of Boston Children’s Hospital, whose network came under attack by the hacker collective Anonymous in April 2014. “What struck us at that point was, you know what? These attacks can do a lot more than get your data; they can really disrupt the day-to-day operations of your facilities.”
Experts said the recent attacks seem to be based in Eastern Europe, although it is hard to tell whether one group alone is responsible. The hacks have similarities, to be sure, but hackers trade tools and information. One concern is that as the attacks gain coverage, they will inspire more copycats who will use the same technique to target other vulnerable networks.
