February 29, 2016
Infection Control…In Healthcare IT
By Michael D. Shaw
This column has devoted considerable coverage to the matter of infection control in hospitals. The most recent such story addressed the dreadful Superbug/tainted endoscope affair, haunting several American hospitals.
Sadly, other types of infections can—and do—take place in healthcare settings. Which brings us to the nasty ransomware attack, occurring earlier this month at Hollywood Presbyterian Hospital in Los Angeles. Cutting to the chase, the hospital agreed to pay the ransom ($17,000), and file access was restored.
Ransomware is a particular class of malware that prevents or limits users from accessing their system, typically by encrypting some or all user files. Successful decryption of the affected files will nearly always require a decryption code, offered by the perpetrator. Payment must be made within a short time frame (usually 96 hours), and is generally accomplished via Bitcoin.
Ironically, ransomware, as a criminal enterprise, can only succeed based on the integrity of the perps. If a ransom is paid, and a decryption code not given, the credibility of such threats—even if observably real—lose most of their steam.
Leading IT security firm Trend Micro notes that “Ransomware can be downloaded by unwitting users by visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. Some ransomware are delivered as attachments to spammed e-mail.” Check out Trend Micro’s video, entitled “Ransomware 101: Digital Extortion in Action.” For an added scare, blow the vid up to full screen, and you’ll be thinking that your own computer is infected.
In a sense, ransomware attacks on hospitals are the next step up from medical identity theft, by far the most serious form of identity theft.
“Health care is a particularly vulnerable sector with respect to cyber security,” said Jeffrey Vagle, a lecturer in law at the University of Pennsylvania Law School and executive director of the school’s Center for Technology, Innovation & Competition. “Many of the devices and systems used in a medical environment simply were not designed with a high degree of security in mind, mainly due to the fact that ease-of-use for health care professionals is paramount.”
I would add that the ridiculous “Damn the torpedoes, full speed ahead” approach to forcing electronic health records on the industry has not exactly helped, either. (No offense to David Farragut.) As healthcare informatics guru, and friend of this column Scot Silverstein, MD says, “If hospitals cannot afford the required diligence, they need to get out of the IT business. Paper cannot be hacked or held for ransom en masse.”
Among other issues created by the attack, according to news reports, “Some patients had to be transferred to other hospitals, as some of the medical equipment that need computers at the Hollywood Presbyterian Medical Center were rendered inoperable, including apparatuses for X-ray and CT scans, documentation and pharmacy and lab work.” Yet, fully in keeping with the standard mantra, hospital CEO Allen Stefanek insisted that “Patient privacy has not been compromised.”
Riiight. Never mind that Stefanek cannot possibly know if this is true; common sense would suggest that hackers who took over such a treasure trove of data might…use it for nefarious purposes.
Silverstein raises a few important questions:
1. Was any patient data altered or corrupted, either deliberately or as a result of the hack?
2. Was any patient data copied or stolen?
3. Was any malicious code left behind by the hackers on any computer on the network, e.g., “back doors” or other malware that could cause future problems?
4. Will any patients suffer harm moving forward as a result of lost computer information during the episode, incomplete backloads of data on the paper that was resorted to during the crisis, or other factors?
Silverstein adds that “Until and unless hospital leadership is held fully accountable for incidents such as this, such incidents will be one of many more moving forward.”
I’ll give the last word to pathogenic infection control expert Lawrence Muscarella, PhD, who compares computer and patient infections…
“Both are under-reported, with the true incidence of infection of patients and hospital servers being likely significantly higher than publicly reported. With some detective work, the source can often, but not always, be identified, whether it’s an infected source patient who is spreading the disease, or a rogue computer expert operating in a foreign country.”
“With computer malware, paying a ransom—a type of ‘antibiotic’—to the software’s designer can stop the infection in its tracks, permitting business to continue as usual. With hospital infections from deadly pathogens such as superbugs, money is one important factor necessary to prevent the disease’s spread, but money alone is not the sole solution and does not stop the infection’s spread. Diligence, surveillance, and compliance with standard precautions are also necessary to ensure patient safety.”