<< Back to The MiraMed Focus

A Ransomware Epidemic and an Overdue National Health IT Safety Center

Dean F. Sittig, PhD
The Christopher Sarofim Family Professorship in Biomedical Informatics and Bioengineering, University of Texas Health Science Center, Houston, TX

Hardeep Singh, MD, MPH
Chief of the Health Policy, Quality & Informatics Program, Veterans Affairs Health Services Research Center, Houston, TX

A rapid increase in computerization of healthcare organizations (HCOs) around the world has raised their profile as lucrative targets for cyber-criminals. Recently there has been a spate of high-profile ransomware attacks involving hospitals’ electronic health record (EHR) data.

Briefly, ransomware attacks commonly start when a user is conned into clicking an internet link or opening a malicious email attachment. Malware, or software that is intended to damage or disable the computer, is then downloaded and rapidly encrypts data on that computer and attempts to reach out to other computers on the same network to encrypt data on those computers as well; consequently, all encrypted data is inaccessible. A message is displayed that all files have been encrypted and if the user does not pay the requested ransom within a short period of time, the files will be destroyed. Once the attack has been launched, users have three basic options: 1) try to restore their data from a backup; 2) pay the ransom; or 3) lose their data.

These larger-scale, malicious events compromise the safety of patient data and remind us of the need for a National Health IT Safety Center, a $5 million Fiscal Year 2017 budgetary request of the Office of the National Coordinator for Health IT (ONC) that we have supported before. In the absence of a centralized investigation and dissemination clearinghouses for these types of events, it is not possible to decipher specific details of what happened, how the problems were resolved and what other organizations should learn from these events.

Recently, the Texas Medical Association (TMA) introduced a resolution in the American Medical Association (AMA) House of Delegates asking that the AMA support the ONC’s efforts to implement a National Health IT Safety Center to minimize safety risks related to use of health information technology (IT). The TMA’s resolution was adopted by the AMA on June 15, 2016 at their annual meeting. The rationale and recommendations within that resolution were built on emerging evidence of deficiencies in EHR-related safety and a concept proposal we previously described. We applaud the AMA for taking a thoughtful and forward-looking position.

An Agenda for the National Health IT Safety Center

While it is unclear what actions AMA will now take to support this effort, we posit that this center should be developed as a public-private partnership that:

  • Establishes a nationwide “post-marketing” surveillance system to monitor health IT-related patient safety events, including those that lead to patient harm and “near misses”;
  • Develops the methods, governance structure and coordination framework for the investigation of major health IT-related safety events;
  • Creates the infrastructure, methods and approaches for random assessments of health IT safety in large HCOs, following best practice recommendations such as the ONC SAFER guides; and,
  • Advocates for health IT safety with various government (e.g., U.S. Congress, Centers for Medicare and Medicaid Services (CMS), Office of Civil Rights, Department of Defense, and state and local departments of health) and private entities (e.g., EHR vendors, payers and healthcare provider organizations).

The ransomware epidemic is a perfect example of the types of problems this center should address.

How the Safety Center Would Help Contain Ransomware

First, the Health IT Safety Center would convene two to three teams of multidisciplinary experts in health IT, cyber-security, clinical informatics and patient safety that could visit each of the sites attacked by ransomware. During these site visits, they would interview key stakeholders including IT professionals, clinicians and administrators, and review various systems and their audit logs in an attempt to identify how these attacks started, what sort of encryption algorithms were used, the vulnerabilities targeted, how the attack was handled and the key lessons learned from their experience. Based on their findings and existing best practices, these teams would write and disseminate a report with findings and recommendations to stop the threat before it can have a wider impact on patient safety. Rather than find fault, the goal of these reports would be to generate actionable recommendations and disseminate this knowledge nationally to institutions using EHRs in an attempt to mitigate future problems.

We envision that the safety center would also work on development and dissemination of more proactive strategies for risk reduction. For instance, we recently developed some good clinical practices for ransomware prevention, mitigation and recovery that were published in a peer-reviewed journal. However, in order for these findings to reach their fullest possible impact, institutional and government leaders and IT staff will need to see and implement them. This is where a safety center could deliver real, tangible value.

What’s Next In Absence of The Safety Center?

Like most health IT challenges, the responsibility of preventing, mitigating and recovering from ransomware is shared between health IT professionals and end-users. While we developed detailed “best practice” recommendations through available literature, in reality, there is no standardized approach nationally to decide how to rapidly develop or share best practices for nearly all emerging health IT safety issues. Often, institutions reinvent the wheel. The advocacy role of the center could coordinate this approach. In its absence, to help HCOs address ransomware threats, we recommend a four-step strategy to prevent against attacks. (For full recommendations see Table 1 in published paper.)

  • Adequate system protection by correctly installing and configuring computers and networks: Organizations should maintain up-to-date backups of all data, ensure that key operating and application software is up-to-date, limit users’ ability to install and run software applications and limit user’s access only to those systems, services and data required by their job.
  • More reliable system defense by implementing user-focused strategies: Organizations must provide rigorous training, including use of simulation strategies to ensure that users correctly operate their devices and applications and learn how to recognize legitimate email messages and attachments.
  • Comprehensive system monitoring of suspicious activities: Organizations should develop a network and user activity monitoring system that conducts surveillance for suspicious activities, such as receipt of email messages from known fraudulent sources.
  • Robust response strategy that includes recovery, investigation and lessons from ransomware attacks: The IT department should disconnect the infected computer(s) from the network and turn off wireless network functionality of the infected machine. If the attack is widespread, the IT department should shut down all network operations (i.e., both wired and wireless), to prevent the malware from spreading. Finally, they should contact their insurance provider, a computer forensics expert and the FBI’s Internet Crime Complaint Center.

We are at a crossroads. We could continue to obfuscate and ignore obvious safety issues, including being easy targets for cyber-criminals, or we could work together to understand safety events, learn from them, identify best practices to prevent them and work on building a safe and effective health IT infrastructure for our country. Based on recent events, we remain optimistic that leaders with the power to make things happen will heed the call for an overdue National Health IT Safety Center.


Dean F. Sittig, PhD, is a Christopher Sarofim Family Professor in Biomedical Informatics and Bioengineering within the School of Biomedical Informatics at the University of Texas Health Science Center in Houston, TX, and a member of the UT-Memorial Hermann Center for Healthcare Quality & Safety. Dr. Sittig’s research interests center on design, development, implementation and evaluation of clinical information systems. In addition to his work on measuring the impact of clinical information systems on a large scale, he is working to improve our understanding of both the factors that lead to success, as well as the unintended consequences associated with computer-based clinical decision support and provider order entry systems. Most recently he has focused his efforts on developing ONC SAFER Guides for the safe and effective implementation and use of health information technology that are based on an eight-dimension socio-technical model that he developed with Hardeep Singh. Development of these guides is covered in his most recent book, SAFER Electronic Health Records: Safety Assurance Factors for EHR Resilience. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Hardeep Singh, MD, MPH, is Chief of the Health Policy, Quality & Informatics Program at the Veterans Administration Health Services Research Center for Innovations based at the Michael E. DeBakey VA Medical Center and Baylor College of Medicine, Houston, TX. He leads a portfolio of multidisciplinary patient safety research, largely funded by the VA and Agency for Healthcare Research and Quality, focusing on two related areas: improving the use of health IT and reducing diagnostic errors in healthcare. In 2012, he received the Academy Health Alice S. Hersh New Investigator Award for high impact research and in 2014, received the prestigious Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama for his pioneering work in the field. Hardeep co-developed the ONC SAFER Guides, for safe and effective EHR use. He also serves on the federal Clinical Laboratory Improvement Advisory Committee, which advises the Centers for Disease Control and Prevention, the Food and Drug Administration and CMS and co-chairs National Quality Forum’s Health IT Patient Safety Committee. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..


Sign up for our eAlerts and Newsletters

 

 

Family of Companies Video

 

Please sign up to receive our communications. We offer weekly healthcare-specific eAlerts and MiraMed Focus, our quarterly healthcare journal featuring articles by experts in the healthcare industry.

 

 

Sign Up Now!