From the largest healthcare companies to solo practices, just every organization in medicine faces a risk for costly cyberattacks. In recent years, hackers have threatened to release the personal information of patients and employees — or paralyze online systems — unless they’re paid a ransom.
Should companies pay? It’s not an easy answer, a pair of experts told colleagues in an American Medical Association (AMA) cybersecurity webinar on October 18. It turns out that each choice — pay or don’t pay — can end up being costly.
This is just one of the new challenges facing the American medical system on the cybersecurity front, the speakers said. Others include the possibility that hackers will manipulate patient data — turning a medical test negative, for example, when it’s actually positive — and take advantage of the powers of artificial intelligence (AI).
The AMA held the webinar to educate physicians about cybersecurity risks and defenses, an especially hot topic in the wake of February’s Change Healthcare hack, which cost UnitedHealth Group an estimated $2.5 billion — so far — and deeply disrupted the American healthcare system.
Cautionary tales abound. Greg Garcia, executive director for cybersecurity of the Health Sector Coordinating Council, a coalition of medical industry organizations, pointed to a Pennsylvania clinic that refused to pay a ransom to prevent the release of hundreds of images of patients with breast cancer undressed from the waist up. Garcia told webinar participants that the ransom was $5 million.
Risky Choices
While the Federal Bureau of Investigation recommends against paying a ransom, this can be a risky choice, Garcia said. Hackers released the images, and the center has reportedly agreed to settle a class-action lawsuit for $65 million. “They traded $5 million for $60 million,” Garcia added, slightly misstating the settlement amount.
Health systems have been cagey about whether they’ve paid ransoms to prevent private data from being made public in cyberattacks. If a ransom is demanded, “it’s every organization for itself,” Garcia said.
He highlighted the case of a chain of psychiatry practices in Finland that suffered a ransomware attack in 2020. The hackers “contacted the patients and said: ‘Hey, call your clinic and tell them to pay the ransom. Otherwise, we’re going to release all your psychiatric notes to the public.’ ”
Cyberattacks continue. In October, Boston Children’s Health Physicians announced that it had suffered a “ recent security incident” involving data — possibly including Social Security numbers and treatment information — regarding patients and employees. A hacker group reportedly claimed responsibility and wants the system, which boasts more than 300 clinicians, to pay a ransom or else it will release the stolen information.
Should Paying Ransom Be a Crime?
Christian Dameff, MD, MS, an emergency medicine physician and director of the Center for Healthcare Cybersecurity at the University of California (UC), San Diego, noted that there are efforts to turn paying ransom into a crime. “If people aren’t paying ransoms, then ransomware operators will move to something else that makes them money.”
Dameff urged colleagues to understand we no longer live in a world where clinicians only bother to think of technology when they call the IT department to help them reset their password.
New challenges face clinicians, he said. “How do we develop better strategies, downtime procedures, and safe clinical care in an era where our vital technology may be gone, not just for an hour or 2, but as is the case with these ransomware attacks, sometimes weeks to months.”
Garcia said “cybersecurity is everybody’s responsibility, including frontline clinicians. Because you’re touching data, you’re touching technology, you’re touching patients, and all of those things combine to present some vulnerabilities in the digital world.”