EHR hack and ransom raises larger questions
With revenues exceeding $263 million and an IT budget of over $6 million, a fee of $17,000 seems like a small price to pay to regain access to protected patient health records. On February 17, news sources across the country reported that Hollywood Presbyterian Medical Center paid hackers the equivalent of $17,000 in ransom money after they were locked out of their own electronic health records system. Providers were forced to return to the antiquated use of paper charts and fax machines for communication among patient care teams.
The implications of an attack like this extend far beyond the immediate well-being of hospital inpatients affected by the captive medical records. Cyber threats such as this one place both hospital employees and all patients who seek care by hospital providers at risk of being victims of fraud.
This is not the first time hackers have ever held data for ransom, but this is the first reported case of EHR data being held hostage for ransom. EHR systems have only become prevalent in the last several years. Since the beginning stages of Medicare’s Meaningful Use program in 2011, approximately 87% of hospitals have implemented electronic health record (EHR) systems with the goals of improving care quality, efficiency, treatment coordination, and privacy and security of patient health information. The implementations of all these EHR systems bring new risks of cyber-attacks and identity fraud, though.
Not only has Hollywood Presbyterian suffered at the fingertips of hackers, but hundreds of hospitals across the country have faced cyber security threats. Definitive Healthcare has recorded over 350 instances of data security breaches in health systems and hospitals nationwide since 2008. The actual number of breaches is likely much higher because hospitals are not often obligated to report such information. The lack of transparency in data breaches makes knowing the scope of security threats impossible.
The attack on Hollywood Presbyterian showcases the potential damage that hackers can do to EHR systems and, consequently, providers. While care was supposedly uncompromised during the EHR hack, it is important to note that Hollywood Presbyterian is not among the largest hospitals. An attack on a larger system could carry more severe consequences for patients. Approximately 7,000 patients sought care at Hollywood Presbyterian last year, yet there are hospitals in the U.S. that serve ten times that number of patients. If these hospitals rely heavily on the functionality of EHR systems to provide high quality patient care, is it possible that potential life threatening situations could arise because of data breaches like the one at Hollywood Presbyterian?
Of course, larger hospitals and health systems have much larger IT budgets to ensure security, and are probably more likely to invest in software to prevent this type of attack. Definitive Healthcare tracks privacy/data breach protection software used by hospitals and health systems. While not all uses are known, Definitive knows of over 700 implementations of this type of software. The following chart shows which providers have the largest shares of the market.
As investments in technologies such as electronic health records are evaluated to see if they are achieving their goals of improving the cost, quality, and access of healthcare to patients, providers must also be considering the increased cyber security risks they are being exposed to, and be sure they are doing their best to mitigate them.
Definitive Healthcare has the most up-to-date, comprehensive and integrated data on hospitals, physicians and other healthcare providers. Our hospital database tracks over 8,700 hospitals and health systems, with technology applications utilized – including privacy and data breach protection software.