Among the plethora of emails that I receive on a daily basis, there seems to always be at least one sent from my hospital’s information services department. Usually, I receive alerts about system downtime or notifications about resolved tickets. They all have the same general look and feel, and so I hardly ever question that they are official. And then I come across a communication with the message similar to the one below. It certainly seems innocent enough, and what’s worse: believable.
Attention valued employee:
Information Services is deploying a new self-service tool to help users reset their own network passwords. Below are the steps you will need to get set up.
Step 1: Register by clicking the following link. Answer at least 5 of the 10 identification questions.
Step 2: If you forget your network password, you will be asked to answer 3 questions correctly in order to reset your password. You can begin this step here!
But in the end, this email turns out to just be spam, likely an attempt from an outside hacker to gain access to my hospital’s system. The hackers don’t necessarily care about my personal information nor are they looking to steal the identity of one sole doctor; they are looking to wreak havoc on an organization and potentially make a lot of money in the process.
Whether we want to admit it or not, the weakest links in a system are actually the people who use it. Unfortunately, data thieves use this fact to their advantage to collect usernames and passwords to gain access via malware or, so called, Trojan horses. Once inside, although there are certain firewalls and checkpoints in place to promote security, the system is far less protected because it assumes that users who have access are supposed to be there. This gives hackers the ability to affect the function of interconnected networks, spread viruses among email recipients, and, what’s worse, access massive amounts of patient information to use however they see fit.
Unfortunately, this threat to our patient data is not purely hypothetical. In recent months, there have been a number of articles published about public institutions such as hospitals and police departments that have been caught seemingly off guard by hackers who don’t use their skills in order to shut down a system but rather to hold it hostage. Hackers simply gain access, funnel the data, and demand a “price” for its safe return. This so-called ransomware can be especially troublesome for hospitals and health care practices as electronic medical records (EMRs) are overtaking the “need” for paper charts.
And so hospitals and providers are caught between a rock and hard place as EMRs help make their system both more efficient and more vulnerable. To complicate matters more, paper charts aren’t even really an option anymore. As of January 1, 2014, under the American Recovery and Reinvestment Act, all public and private health care providers and other eligible professionals were expected to adopt and demonstrate meaningful use of EMRs in order to maintain their existing Medicaid and Medicare reimbursement levels. Penalties exist for those who don’t comply.
But the answer is not to blame EMRs and new technology for the problem. Especially as a physician, I see firsthand how invaluable EMRs are and how my ability to provide accurate interpretations relies so heavily on good information in the medical record. We must be conscious of the fact that the health record is a part of the patient. We must protect it as best as we can so as not to do harm to the person it represents. We must take some responsibility in keeping our patient data safe by doing our due diligence to pay attention to these new threats and to know whom to contact within our health system with questions about their legitimacy. In doing so, we certainly won’t protect our hospitals from every cyber threat, but at least we will do our part to help make our link to it a little bit stronger.
Kerri Vincenti is a radiology resident.
Image credit: Shutterstock.com