A Ransomware Epidemic And An Overdue National Health IT Safety Center

Dean Sittig and Hardeep Singh | Health Affairs Blog | July 29, 2016

A rapid increase in computerization of health care organizations (HCOs) around the world has raised their profile as lucrative targets for cyber-criminals. Recently there has been a spate of high-profile ransomware attacks involving hospitals’ electronic health record (EHR) data.Briefly, ransomware attacks commonly start when a user is conned into clicking an internet link or opening a malicious email attachment. Malware, or software that is intended to damage or disable the computer, is then downloaded and rapidly encrypts data on that computer and attempts to reach out to other computers on the same network to encrypt data on those computers as well; consequently, all encrypted data is inaccessible.  A message is displayed that all files have been encrypted and if the user does not pay the requested ransom within a short period of time, the files will be destroyed. Once the attack has been launched, users have three basic options: 1) try to restore their data from a backup; 2) pay the ransom; or 3) lose their data.

These large scale, malicious events compromise the safety of patient data and remind us of the need for a National Health IT Safety Center, a $5 million Fiscal Year 2017 budgetary request of the Office of the National Coordinator for Health IT (ONC) that we have supported before. In the absence of a centralized investigation and dissemination clearinghouse for these types of events, it is not possible to decipher specific details of what happened, how the problems were resolved, and what other organizations should learn from these events.

Recently, the Texas Medical Association (TMA) introduced a resolution in the American Medical Association (AMA) House of Delegates asking that the AMA support the ONC’s efforts to implement a National Health IT Safety Center to minimize safety risks related to use of health information technology (IT). The TMA’s resolution was adopted by the AMA on June 15, 2016 at their annual meeting. The rationale and recommendations within that resolution were built on emerging evidence of deficiencies in EHR-related safety and a concept proposal we previously described. We applaud the AMA for taking a thoughtful and forward-looking position. While it is unclear what actions AMA will now take to support this effort, we posit that this center should be developed as a public-private partnership that...