Ransomware will Kill

Friday, August 19, 2016

An exaggeration? Unfortunately not.

A lot of attention has been paid to ransomware and other cybersecurity attacks over the past 12 months in healthcare, especially so in the US and with a particular focus on medical identity theft and fraud. However, that is nowhere near being the biggest risk. In the UK & Ireland, healthcare IT maturity is increasing with the adoption of electronic health record systems, mobile clinical applications and ePrescribing/charting. Below are just some examples of how a system being held 'to ransom' can jeopardise patient care:

1. ePrescribing & Medication Management
This one is surely the most obvious. Once a healthcare organisation moves to electronic medication management it must have a contingency plan that's based on immediate recovery. However, when a platform is made inaccessible then clinical staff will have no way to know what medications patients need. This leaves significant scope for delays in care and treatment which could be harmful. Critically, if allergy information is not accessible it can be devastating. A more sinister event may involve scrambling the core information leading to medication misadministration.

"In the UK & Ireland, healthcare IT maturity is increasing with the adoption of electronic health record systems..."

2. Clinical Documentation & Charting
Clinicians, especially in the out-of-hours setting, rely on patient notes to review patient summaries, share patient information and document changes/reviews. Any downtime will delay patient care and access to patient information that is required for clinical decision making. Acting on incomplete patient information is a critical source of harm.

"Critically, if allergy information is not accessible it can be devastating."

3. Order Communications
The ability to order and review investigation results is essential to the management of patients in the acute and ambulatory settings. Delays can impact everything from routine blood panels to radiology, oncology and surgical pathology results. This is not only critical in emergency settings but also in the management of chronic conditions which require regular review and management. Any delays in results associated with these and also oncology patients, as an example, are simply unacceptable.

4. Bed Management & Departmental Workflow
Emergency departments and wards increasingly rely on bed management and workflow solutions to manage the transition of patients from triage to appropriate patient pathways. Downtime in these systems can cause chaos and especially in acute settings can lead to delays in patient identification, risk stratification, transport and ultimately care. The domino effect can cause a negative impact throughout a hospital as patient backlogs impact theatres and intensive care units as well as wards.

"Any delays in results associated with oncology patients are simply unacceptable."

5. Departmental EHRs
Not all hospitals adopt single vendor EHR solutions and many rely on specialised departmental systems such as in intensive care units. Any downtime in these systems, again, reduces access to essential clinical information required for decision making. This is particularly risky during clinical time periods when staff are going through handovers.

Many healthcare organisations are developing significant contingency plans in the event of ransomware attacks but more needs to be done.

Organisations need to invest in cybersecurity solutions as organisationally essential infrastructure components. Significant leadership positions must be created and supported with steering groups involving IT, risk and clinical leadership. In a world where interoperable, paperless systems are being sought it is our duty to ensure that patient care is not compromised as a consequence.

About Dr Saif Abed (@Saif_Abed): Saif is a UK trained medical doctor and corporate strategist specialising in the deployment of complex IT infrastructure solutions. As Founding Partner at AbedGraham Healthcare Strategies Ltd., he currently advises global healthcare IT software & infrastructure vendors and healthcare providers about clinical workflow, healthcare policy, cybersecurity and IT system benefits realisation.