Imagine a scenario where you have a medical emergency, you head to the hospital, and it is shut down. On a Friday morning in September, this hypothetical became a reality for a community in northeast Wyoming.
Campbell County Health reported a systemwide crippling of their computers that affected its flagship hospital and nearly 20 clinics located in the city of Gillette. For eight hours, the hospital’s emergency department was forced to transfer patients even though the next nearest hospital was located 70 miles away. The health care system stopped admitting new patients, labs were shuttered and some surgeries were postponed. It took 17 days to restore normal order.
The cause was ransomware, an increasingly frequent form of digital breach that doubled across industries in the first quarter of 2019, according to McAfee Labs. Today, this brand of cyberattack and other hacks plague America’s health care providers.
But you may be surprised to learn that your health could also be affected, long after hackers release their hostages — your electronic medical records.
New research finds that at hospitals that experienced a data breach, the death rate among heart attack patients increased in the months and years afterward. This increased mortality doesn’t appear to be due to the perpetrators themselves — the hackers are not controlling the allocation of medications or doctors. Rather the issue may lie with how health care systems adjust their cybersecurity after an attack, according to a study published in October’s issue of Health Services Research.
“In spending time in a lot of different health care organizations, what we saw in terms of reactions to breaches was rather predictable — that is, installing better security controls,” said Eric Johnson, an IT security researcher and dean of Vanderbilt University’s Owen Graduate School of Management who co-led the study. Such measures could include stronger passwords, enforcing password use and two-factor authentication.
While these fixes seem like ordinary precautions to anyone with a smartphone, every second counts in a medical emergency. Cybersecurity remediation at hospitals appears to be slowing down doctors, nurses and other health professionals as they offer emergency cardiac care, based on this new study.
After data breaches, as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined in the new study. Heart attacks rank among the most common medical emergencies in the U.S., with approximately 735,000 Americans experiencing one every year.
The number of health care entities affected by electronic breaches has risen 20 percent in 2019 compared to all of last year. Those breaches involved the medical records of 38 million health care customers, the largest number since 2015 when massive hacks struck Anthem, Blue Cross, Excellus and UCLA Health System.
Electronic medical records, though billed as a modern pathway to efficiency, are already known to cause friction among health professionals, occasionally slowing care and leading to inferior health outcomes. Johnson and his colleagues suspect that the newly installed efforts to thwart future digital breaches are unintentionally amplifying this discord.
What the researchers did
Health care providers are required by federal law to notify affected patients and alert the media after a data breach involving more than 500 individuals. They also must file a report with the Office for Civil Rights at the U.S. Department of Health and Human Services.
Johnson and his two co-authors — Vanderbilt’s Christoph U. Lehmann and Sung Choi at the University of Central Florida — pulled these records for 2012 to 2016, then cross-referenced them with a database of Medicare‐certified hospitals. Such hospitals are required to keep so-called quality measures — data that quantifies health care efficiency, health outcomes and patient experiences.
In particular, the team wanted hospitals that keep consistent records on two things: the time it takes a patient with chest pain to get from the door of an emergency room to receiving a heartbeat reading by an electrocardiogram (EKG), and the 30‐day mortality rate for heart attacks. The researchers whittled down their pool to 3,025 Medicare-certified hospitals with suitable records, 311 of which had experienced data breaches.
They found the time it took for a patient to receive an electrocardiogram increased by as much as 2.7 minutes after a data breach, and this lag remained as high as 2 minutes even after three to four years.
“Our hypothesis is that the time connection is driving the 30-day mortality rates,” Johnson said. “There’s a clear association for hospitals that saw these breaches. They definitely saw increases in 30-day mortality rate.”
The Medicare records also provided the number of “meaningful users” of certified electronic health record-keeping systems, which served as a proxy for the state of a hospital’s cybersecurity. After a breach, health care providers tend to require more of their employees to become “meaningful users.”
Choi, Johnson and Lehmann used those records to model how “improvements” in cybersecurity contribute to this trend of cardiac distress — without having to survey individual hospitals about their cybersecurity plans. They expect to find similar results with other emergency conditions where time delays can be problematic, like stroke.
“We are looking at a very granular level across a national sample of hospitals,” Johnson said. “To understand the more detailed mechanics of how security was implemented in any particular hospital, that’s an area for future research.”
Electronic medical records can be hard to use. Data breaches expose the consequences
This is a huge limitation of the study — it didn’t directly measure if the hospitals responded to breaches by installing more cybersecurity. But their reliance on indirect measures speaks to the closeted nature of how health care systems respond to security breaches.
“It’s scary as heck for the hospital,” said Ross Koppel, a sociologist at the University of Pennsylvania who studies health care information technology, namely how people interact with computers in their workplaces and cybersecurity vulnerabilities. He said hospital officials often argue they can’t discuss changes to their cybersecurity after a breach because they don’t want to give hackers new clues.
But part of the trepidation may stem from fears about how their patients will react, Koppel said. A 2015 study shows that patients are less forthcoming with their doctors if they learn their medical records can be accessed via the internet — which a data breach brings to light.
To seek more information about how hospitals respond after a breach, the PBS NewsHour contacted Campbell County Health and another health care provider in Alabama called DCH Health, which was forced to pay a ransom this month for a cyberattack that shut down its three hospitals. A spokesperson for Campbell County Health declined to provide any information, and DCH Health never responded to a request for comment.
The other problem is that some hospitals are reluctant to share details of their patient information systems because it would enable competing hospitals to prey on their customers, Koppel said. “They can say, ‘Look, we have a better cardiac lab.’”
He added that that’s what is impressive about the new study. Despite this limitation, it highlights the kind of disruption that can occur when a hospital is implementing new processes or software to increase security.
Koppel’s work and other research have repeatedly shown that the pitfalls around electronic medical records often center on the user experience for doctors, nurses and other health professionals.
A 2005 study, for example, found the introduction of “computerized physician order entry” systems — which allow medical providers to track instructions for a particular patient — stymies handoffs between ambulance crews and emergency departments. Without these systems, EMTs would radio ahead orders for medications, but once these systems are installed, the crews are forced to provide this information on arrival so emergency department staff can log it. These delays in care and others reportedly doubled the rate of pediatric deaths at the Children’s Hospital of Pittsburgh.
Electronic medical records are also considered more valuable to hackers than Social Security numbers and other personal info because of the opportunity for blackmail. And as electronic medical records become more common, health care systems need to beef up their security.
If someone steals your credit card, you cancel the card. But if you’re worried about friends, family or employers finding out about a chronic health condition, hackers can indefinitely extort you financially by threatening to release your private information. Health care hacks can also be used by medical fraudsters.
“They can bill the Centers for Medicare and Medicaid Services or insurance companies for the patients that they have records,” Koppel said. “They can sham CMS or insurance companies for quite a while before it emerges. It may never emerge.”
Johnson said the solution is faster-but-secure technologies for accessing medical records, such as radio frequency identification (RFID) wristbands, biometric scans for fingerprints or facial recognition. But Koppel said the government and the health care industry need to mandate standards and implement them across multiple health care systems.
“They have to stop avoiding the desperate need for data standards…The government basically gave way to industry and said whatever you want,” Koppel said, meaning that organizations make their own rules for data accessibility that are often inconsistent with one another. He acknowledges that creating one standard for everyone would affect market competition and the bottom lines for medical IT companies. “The classic line is that these data standards are like toothbrushes. Everybody wants one, but they don’t want to share.”