Shane Richards, Class of 2023, Belmont Law
Just shy of one year ago, the nation’s largest fuel pipeline was ground to a halt because of a criminal ransomware attack. In May 2021, Colonial Pipeline’s system transported 100 million gallons of gasoline per day, supplying gas for 50 million people in America’s southeast and meeting about 45% of the East Coast’s demand for gas.. The ransomware attack brought an abrupt halt to that supply, spurring panic buying and gas shortages. According to a consulting firm, Colonial’s cybersecurity was described by one consultant as being so bad “an eighth-grader could have hacked into the system,” despite recent efforts to improve such security. Colonial Pipeline only resumed operations after paying a $4.4 million dollar ransom to the criminal hackers that shut down the system.
Luckily, the panic buying caused more problems than the actual stoppage and life quickly returned to normal for most American’s effected. However, this incident is not an anomaly. Similar ransomware attacks “have reached epidemic levels,” according to the Associated Press, “as foreign criminal gangs paralyze computer networks at state and local governments, police departments, hospitals …” Following the Colonial Pipeline incident, U.S. officials have expressed concerns that many other organizations have also failed to invest in adequate safeguards, similar to Colonial Pipeline. Organized crime is not the only concern when it comes to ransomware attacks. U.S. officials have noted their concerns that state-backed hackers could do even more damage if given the chance.
One year later, anxiety over cyber security is being raised once again as Russia deploys ransomware attacks against Ukraine. In a March 1, 2022, Analyst Note, the Department of Health & Human Services (“HHS”) examined the two variants of malware that has been used against Ukraine over the past few months, HermeticWiper and WhisperGate. Although there is no specific threat currently known, the HHS identified three potential threat groups: the Russian Government, the Belarussian Government, and criminal organizations operating in Russian territories. The two variants of malware employed by these organizations are classified as “disk-wiping” malware, which is characterized by its ability to completely delete data from the devices it infects. The HHS notes that these two variants are the most likely to impact the health care industry.
These concerns are being reraised as some hail this year as a transformative one for health information technology. Since the passage of the HITECH Act and the 2011 launch of the Medicare and Medicaid Electronic Health Records (“EHR”) incentive programs, 90% of hospitals and health care providers have switched to utilized EHR systems, storing more and more sensitive patient information in electronic systems. It will not stop there, however, as key provisions of the 21st Century Cures Act, passed in 2016, will be implemented this year. Specifically, a few of those key innovations include (1) making information sharing practices a priority across the industry, (2) creating a standardized foundation for security, and (3) implementing a nationwide infrastructure to make information sharing easier. Some hail these updates as freeing the health care industry from paper restraints. Although paper has not yet been “wrung … completely out of health care,” and it likely will not be for some time, the effect of the 21st Century Cures Act is to continue the shift towards a paperless health care system that heavily relies on nationwide digital databases.
There are many clear benefits that come from switching to an EHR system. The ability for one hospital to quickly share patient data with another hospital or another healthcare provider can be the difference between life and death. An EHR system allows doctors to more effectively diagnose patients, reduces overall costs, reduces redoing work already done, keep information up-to-date, and so on. It is a key plank in the current plan to lower overall health care costs in a country where those costs are rampant. However, it does not take much to see how things could go very wrong. It does not take much imagine to see how solely relying on such a system—eliminating the restraints of paper—could be incredibly dangerous in a world of criminal ransomware attacks and cyberwarfare.
Imagination is not even required to see how this might be an issue. It is happening in Ukraine and it has happened here at home. It is an issue that is at the forefront of Lisa Pino’s attention, the Director for the Office of Civil Rights at the HHS. In a recent blog, Pino describes how cyberattacks on hospitals have caused providers to cancel surgeries, radiology exams, and other services in 2021. She makes clear too that it’s not just EHR systems, but other electronic databases that are at risk. Pino recommends several measures to improve cybersecurity, such as maintaining encrypted, offline database backups, conducting regular vulnerability scans, and training employees to avoid common cyber threats, like phishing.
Despite the numerous problems that nationwide electronic databases may alleviate in health care, there is a great potential for new problems to arise. A world now exists with many new possibilities, but it is not without its own, new dangers. It is a world where a small group of criminals can bring vital infrastructure to a halt and where large government-backed groups can employ malware that completely expunges all data in a system. Just by flipping a switch, all that patient data—all of that sensitive and irreplaceable information—disappears. The potential for harm to the health care industry, and its many patients, is immense if proper steps and measures are not taken. Only time will tell how effective protective measures, such as those proposed by Pino, will be. Until then, backups, even in the form of paper, may be the safest option.