Reckoning with Ransoms: The Dangers of Relying on Electronic Patient Data Increases

Shane Richards, Class of 2023, Belmont Law

The issues with using paper forms and records instead of electronic versions are numerous and numerous to anyone who has ever worked in an office. Even in my limited experience of working at a law firm, I have learned that paper files have their downsides. They can be difficult to manage. The document you need can easily be lost amidst thousands of other paper documents and hundreds of other file folders being tossed around, shared among a busy office. “Who has the Johnson file?” and similar questions can often be heard, sending all nearby attorneys rummaging around their desks to figure out if they were the ones to misplace the file. Physical files also take up a lot of space and it is generally more time consuming to comb through a paper file to find just that one document you need. These questions of ease make using electronic records alluring enough, and that still leaves out the security questions. Is it not relatively easy for a nefarious actor to take a peek at a sensitive, misplaced file?

Many of these issues are solved by creating electronic files. Even doing something as simple as putting documents on a program like Google Docs cuts down on paper, makes locating them easier, and improves security. Other systems can put further password protections on sensitive records and take it however many steps further a company may desire. Only one who is supposed to look at it can look at it—that is the logic. One does not need to look far to this same reasoning being used to move medical records from cumbersome paper form to a sleek electronic manifestation. Another bonus unique to the context of electronic medical records is the added shareability. The possibility of easily sharing medical records from one healthcare provider to another is theoretically invaluable. Several pieces of legislation in this new electronic age, like the 21st Century Cures Act, has been pushing the health care industry in the direction of relying on electronic databases for the storage and access of medical records.

However, it may not be more secure at all. New data being published in Journal of American Medical Association Health Forum and cited by Westlaw Today, show that health care providers are being faced by a grave new threat: ransomware attacks. In the days of old, a nefarious actor had to physically walk into a hospital and look at sensitive documents to retrieve personal information. There are many obvious things a hospital can do to combat such an issue. Now, however, with most records being made electronic, a nefarious actor can force a hospital to pay an exorbitant ransom from the comfort of their own homes—and hospitals are struggling to deal with this new paradigm.

As described by Westlaw Today, a ransomware attack is a type of computer malware that “attempts to deny access to data, usually encrypting the data with a key known only to the hacker, until a ransom is paid.” These types of attacks have doubled from 2016 to 2021, totaling 374 ransomware attacks. These attacked impacted almost 42 million people—that’s about 13% of the US population. The ransom being paid or unpaid, only 20% of organization reported that they were able to restore that data, meaning that 80% of data was lost. It can be confirmed that in 16% of these attacks, the stolen information was made public. Those numbers may seem sufficiently worrisome on their own. However, there are reasons to believe the number of attacks are significantly underreported due to regulatory penalties and potential class action lawsuits.

Despite what some would think, it appears that more tech might mean more problems. These developments have created a new frontier of security concerns and threats, with both sides—hacker and hospital—crafting new and unique ways to protect data and to phish for that data. As noted by Westlaw, employee training and education is vital to prevent such attacks. Yet, no one is perfect and even the best trained staff can fall victim to such an attack. The operations of hackers continue to get more sophisticated and someone will be caught off guard eventually. The question then becomes what does a hospital do when all of its data is lost? Should a protocol be in place to

regather and reenter that information? Should the data be regularly backed up to a completely different data base? Is it worth keeping a paper backup of the most important information? Wouldn’t paper versions kept at the hospital bring us back to the paper problems we all know? These are the questions faced health care institutions in the electronic age. Is it worth having these great electronic systems of communicating medical records between institutions if more than 10% of patient information is ransomed and lost, causing treatment delays?

Works Cited:,hard%20to%20read%2C%20and%20difficult%20to%20locate.%20

Leave a Reply

Your email address will not be published. Required fields are marked *