How prepared is your practice for cyberattack?

IN May of 2017, Britain’s National Health Service was hit by a particularly virulent cyberattack. Within just hours, thousands of computers and medical devices – including magnetic resonance imaging scanners, theatre equipment and blood storage refrigerators – had been contaminated by a virus known as WannaCry, triggering a digital lockdown to prevent further spread. Patient records were compromised and the problem became so serious that some hospitals had to turn away non-critical emergencies and divert ambulances to unaffected emergency departments, often many miles away.

WannaCry was what is known as ransomware, or a virus that typically encrypts a computer’s entire hard drive and then asks the user for a ransom fee to unlock it. Selling ransomware is one of the fastest growing businesses in the darker reaches of the internet, and while health care providers are by no means the only victims, they are a particular target.

“In the United States, around 88% of ransomware attacks have been against health care providers,” Dr Zubair Baig, a senior lecturer in cybersecurity at Perth’s Edith Cowan University, told MJA InSight.

Dr Baig, who is the co-author of a recent article on security attacks on electronic health systems, said that the most important thing health organisations can do to counter the threat of ransomware attacks is to craft a document that clearly explains to health practitioners what to do and what not to do when they receive suspect emails.

“It could be an email that appears to come from a legitimate source, but turns out not to be. If it has an attachment and you can’t verify the email’s legitimacy, do not open the attachment and report the incident to the IT department of your organisation,” Dr Baig said.

Ransomware is one of the greatest cybersecurity threats for health care providers, but it’s not the only one. A Viewpoint just published in JAMA outlines a number of other issues, including theft of patient medical information, denial-of-service attacks which freeze networks, and the hacking of medical devices such as insulin pumps or pacemakers.

Clinicians must practise “cyber hygiene”, writes the New York-based Dr Mark Jarrett. This includes changing passwords on a regular basis, ensuring software is up to date, and installing cybersecurity software. Doctors should never assume that just because their practice is small, that they will not be a target of hackers or malware.

“The promise of improved care from a digital world will be broken, and patients could be placed at risk if cybersecurity is not made a priority issue.”

But, according to Dr Bernard Robertson-Dunn, an electronics engineer who chairs the Health Committee of the Australian Privacy Foundation, cybersecurity is not just an issue of greater vigilance on the part of health care providers. It’s also about how digital infrastructures are designed in the first place.

He points to the Australian government’s controversial My Health Record as an example of how not to digitally store and transmit patients’ records.

“The problem is that the government has implemented a system where if doctors want to share medical data, they first have to give them to the government, which centralises all the data. That creates a honeypot that is very attractive for hackers to hack into,” Dr Robertson-Dunn said.

“You don’t want centralised data, because they’re too vulnerable to hacking and, in any case, it’s unnecessary. The information should stay with the people who create and need it, and it should be shared among them.”

Dr Robertson-Dunn said that concretely, this means that the bulk of patient data should remain with the GPs, who should then share them with hospitals, specialists and patients when needed. Patients would be able to access their own data, or a summary of them, by logging on to the GP system with a password and username.

He said that a number of other countries, such as the UK and Sweden, are moving towards this approach to enable patients to access their information.

But he added that this shouldn’t mean that cybersecurity becomes the sole responsibility of the GP.

“We don’t want to put another load on GPs, who in any case have no expertise in cybersecurity. The security aspects should be transparent to them but they shouldn’t be taking responsibility. The problem is that nobody’s worked out yet how to change a medical practice to deal with all these new security requirements. That’s the area that really needs attention, and more research and development.”

But Dr Baig said he didn’t think that the issue was where the data were stored; rather it was how they were managed.

“It doesn’t matter if the data are stored centrally or are distributed. What matters is that firstly, they’re properly encrypted before they’re communicated, either from the practitioner or from a central repository; and secondly, they’re rendered only to authenticated requesters, with a minimum of two authentications – a password and also something else, maybe biometrics. End-to-end security can be achieved with these two very simple solutions.”

But he added that many organisations had yet to implement these solutions. Health care data breaches and recovery were still costing organisations around $6.2 billion annually in the US, he noted.

To find a doctor, or a job, to use GP Desktop and Doctors Health, book and track your CPD, and buy textbooks and guidelines, visit doctorportal.