from the AAP DIVISION OF QUALITY on July 20, 2017

As electronic options to provide and access patient health information increase, so too can opportunities for hackers to steal that information or hold it hostage if medical professionals do not maintain and upgrade their cybersecurity.

“Imagine having your electronic health record, computer and internet unavailable to you,” said Marvin B. Harper, M.D., FAAP, chief medical information officer at Boston Children’s Hospital and a member of the AAP Council on Clinical Information Technology. “Many clinicians would find it very difficult to optimally care for their patients in such a scenario. Now imagine that there is a ransom you must pay to regain control of your systems.”

Such a scenario played out in May, when thousands of health care systems in over 150 countries were victims of the WannaCry ransomware attack. Those affected received a message on their computers saying their documents, photos, videos and databases had been encrypted, and they needed to pay a ransom in bitcoin to recover the files. A cybersecurity researcher discovered how to disable the virus, slowing the spread of the ransomware.

Another global ransomware attack known as Petya spread through large companies in June.

Cyberattacks in the health care industry can impact individual patients by disrupting continuity of care and compromising their personal data such as names, social security numbers and home addresses. Public health can be affected as well as if entire systems are shut down and data are held for ransom.

The health care industry may be more vulnerable to cyberattacks than other industries because of the wide variety of data within health care organizations. In addition, large numbers of legitimate users can lead to more opportunities for errors, leaving systems vulnerable to hacking. Small pediatric practices may be especially vulnerable to cyber threats if they have limited financial resources to keep up with recommended security upgrades.

“We live with the reality that it is not a question of whether our systems will be attacked or hacked but when and how bad it will be,” Dr. Harper said.

Federal rules require physicians to report data breaches to the Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) at Experts in cybersecurity and data breaches have suggested that up to half a million children’s medical records are for sale illegally. However, OCR reporting records for pediatric patients are below that number, suggesting that many health care providers may be unaware that their patient data have been compromised.


Read the complete article at