Sarah is a single mother with a family history of heart disease. One morning, she’s driving her son to soccer practice when she experiences sudden chest pain. Recognizing the signs of a heart attack, her son calls 911 and waits for an ambulance to arrive. Thankfully, one arrives quickly, but instead of taking Sarah to the hospital down the block, it takes her to one across town. Unfortunately, because of the delay, Sarah’s heart suffers irreversible damage.

While thankfully this story is fictional, many similar stories are not. In May 2021, Scripps Health in San Diego was brought down by a ransomware attack. Ransomware is a type of virus that locks away important data until a ransom is paid to the hackers. Due to the attack, ambulances were routed away from Scripps Health system hospitals, and care for patients was delayed. In medical emergencies, each second counts.

Scripps Health is not the only victim. In 2020, cyberattacks on health care institutions increased by over 55%. In September 2020, Universal Health Services was affected by a ransomware attack, affecting care at over 400 hospitals worldwide.

The impact of ransomware attacks goes far beyond re-routing ambulances. In the past twenty years, medicine has increasingly relied on technology for documentation, imaging (e.g., X-rays and CT scans), writing prescriptions, and rapid communication. Abruptly going offline can be debilitating for health systems that rely so heavily on computers to take care of their patients. Quality of care plummets when providers don’t have access to prior electronic health records, cannot readily consult other specialists, and need to manually read CTs and X-rays. Ransomware attacks are detrimental regardless of the organization, though the stakes are much higher for health care systems.

Ironically, health systems are some of the most vulnerable to these kinds of attacks. In fact, the 2021 Health Care Breach Report from Bitglass, a cloud security firm, shows that health care system breaches have become more and more commonplace. And this is likely because health information is extremely valuable. Everything from a patient’s social security number to family history is stored in the electronic medical record. If this information is leaked or inaccessible, hospitals lose patient information, which is a HIPAA violation, and also have to pay substantial fines to the federal government if they pay the ransom.  

Further, health systems have several access points for hackers to exploit. Ideally, electronic medical records are connected within and between health systems. This interconnectedness, while beneficial to a patient’s continuity of care, creates multiple entry points for hackers.

In the era of COVID-19, these access points have only grown with the increased popularity of telehealth visits. With providers and patients both trying to connect from home, increased reliance on network-based technology has allowed new vulnerabilities to emerge.

Additionally, medical devices serve as extremely vulnerable access points if they are integrated into medical networks. For example, ventilator machines (used to breathe for extremely sick patients) can sometimes transmit information directly into electronic medical records. This tool can be extremely useful for providers, as they can check on all patients in real-time from their computers, but it also creates an extra connection in the system that can be exploited. Manufacturers of medical devices are focused on patient health and safety, not on cybersecurity. 

Despite the numerous challenges that health systems face, a study by IBM showed that human error is responsible for most data breaches, and this is usually due to poor cyber hygiene. Humans exacerbate holes in our cyber defenses by using easily guessable passwords, transmitting information over insecure networks, and falling victim to phishing scams, amongst other examples.

As a society, we must keenly educate ourselves on how to use technology safely. This may be as simple as adding an additional special character (e.g., %!#) to your password to make it more robust, or screening your inbox for suspicious emails. On a larger scale, technology safety must involve our institutional administrators, cybersecurity officers, and even local legislators, as we advocate for adequate funding that will help prevent against cyberattacks.

Changes in the ways we use, protect, and advocate for our information will undoubtedly make information more secure in all enterprises, including health care. It’s vital that we are proactive rather than reactive in our personal cybersecurity efforts—the health of ourselves and our loved ones depends on it.

** Feature photo by Mati Mango from Pexels

Interested in other articles like this? Subscribe to our monthly newsletter

Interested in contributing to the Primary Care Review? Review our submission guidelines

Newton Nagirimadugu, BS, is a third-year medical student at The George Washington University School of Medicine and Health Sciences. He received a Bachelor of Science in Chemistry with a minor in Mathematics at the College of William & Mary. His interests include quality improvement, the intersection of health care and technology, public health and advocacy, and narrative medicine.