New Ransom Demands, AI Risks

From the largest healthcare companies to solo practices, just every organization in medicine faces a risk for costly cyberattacks. In recent years, hackers have threatened to release the personal information of patients and employees — or paralyze online systems — unless they’re paid a ransom.

Should companies pay? It’s not an easy answer, a pair of experts told colleagues in an American Medical Association (AMA) cybersecurity webinar on October 18. It turns out that each choice — pay or don’t pay — can end up being costly.

This is just one of the new challenges facing the American medical system on the cybersecurity front, the speakers said. Others include the possibility that hackers will manipulate patient data — turning a medical test negative, for example, when it’s actually positive — and take advantage of the powers of artificial intelligence (AI).

The AMA held the webinar to educate physicians about cybersecurity risks and defenses, an especially hot topic in the wake of last spring’s Change Healthcare hack, which cost UnitedHealth Group an estimated $2.5 billion — so far — and deeply disrupted the American healthcare system.

Cautionary tales abound. Greg Garcia, executive director for cybersecurity of the Health Sector Coordinating Council, a coalition of medical industry organizations, pointed to a Pennsylvania clinic that refused to pay a ransom to prevent the release of hundreds of images of patients with breast cancer undressed from the waist up. Garcia told webinar participants that the ransom was $5 million.

Risky Choices

While the Federal Bureau of Investigation recommends against paying a ransom, this can be a risky choice, Garcia said. Hackers released the images, and the center has reportedly agreed to settle a class-action lawsuit for $65 million. “They traded $5 million for $60 million,” Garcia said, slightly misstating the settlement amount.

Health systems have been cagey about whether they’ve paid ransoms to prevent private data from being made public in cyberattacks. If a ransom is demanded, “it’s every organization for itself,” Garcia said.

He highlighted the case of a chain of psychiatry practices in Finland that suffered a ransomware attack in 2020. The hackers “contacted the patients and said, ‘Hey, call your clinic and tell them to pay the ransom. Otherwise, we’re going to release all your psychiatric notes to the public.’”

Cyberattacks continue. Earlier this month, Boston Children’s Health Physicians announced that it had suffered a “ recent security incident” involving data — possibly including Social Security numbers and treatment information — regarding patients and employees. A hacker group reportedly claimed responsibility and wants the system, which boasts more than 300 clinicians, to pay a ransom or else it will release the stolen information.

Should Paying Ransom Be a Crime?

Christian Dameff, MD, MS, an emergency medicine physician and director of the Center for Healthcare Cybersecurity at the UC San Diego, noted that there are efforts to turn paying ransom into a crime. “If people aren’t paying ransoms, then ransomware operators will move to something else that makes them money.”

Dameff urged colleagues to understand we no longer live in a world where clinicians only bother to think of technology when they call the IT department to help them reset their password.

New challenges face clinicians, he said.

“How do we develop better strategies, downtime procedures, and safe clinical care in an era where our vital technology may be gone, not just for an hour or 2, but as is the case with these ransomware attacks, sometimes weeks to months.”

Garcia said “cybersecurity is everybody’s responsibility, including frontline clinicians. Because you’re touching data, you’re touching technology, you’re touching patients, and all of those things combine to present some vulnerabilities in the digital world.”

Next Frontier: Hackers May Manipulate Patient Data

Dameff said future hackers may use AI to manipulate individual patient data in ways that threaten patient health. AI makes this easier to accomplish, he said.

“What if I delete your allergies in your electronic health record, or I manipulate your chest x-ray, or I change your lab values so it looks like you’re in diabetic ketoacidosis when you’re not so a clinician gives you insulin when you don’t need it?”

Garcia highlighted another new threat: Phishing efforts that are harder to ignore thanks to AI.

“One of the most successful way that hackers get in, disrupt systems, and steal data is through email phishing, and it’s only going to get better because of artificial intelligence,” he said. “No longer are you going to have typos in that email written by a hacking group in Nigeria or in China. It’s going to be perfect looking.”

What can practices and healthcare systems do? Garcia highlighted federal health agency efforts to encourage organizations to adopt best practices in cybersecurity.

“If you’ve got a data breach, and you can show to the US Department of Health and Human Services (HHS) you have implemented generally recognized cybersecurity controls over the past year, that you have done your best, you did the right thing, and you still got hit, HHS is directed to essentially take it easy on you,” he said. “That’s a positive incentive.”

Ransomware Guide in the Works

Dameff said UC San Diego’s Center for Healthcare Cybersecurity plans to publish a free cybersecurity guide next year that will include specific information about ransomware attacks for medical specialties such as cardiology, trauma surgery, and pediatrics.

“Then, should you ever be ransomed, you can pull out this guide. You’ll know what’s going to kind of happen, and you can better prepare for those effects.”

Will the future president prioritize healthcare cybersecurity? That remains to be seen, but crises do have the capacity to concentrate the mind, experts said.

The nation’s capital “has a very short memory, a short attention span. The policymakers tend to be reactive,” Dameff said.

“All it takes is yet another Change Healthcare–like attack that disrupts 30% or more of the nation’s healthcare system for the policymakers to sit up, take notice, and try to come up with solutions.”

In addition, he said, an estimated two data breaches/ransomware attacks are occurring per day. “The fact is that we’re we are all patients, up to the President of the United States and every member of the Congress is a patient.”

There’s a “very existential, very palpable understanding that cyber safety is patient safety and cyber insecurity is patient insecurity,” Dameff said.

Randy Dotinga is an independent writer and board member of the Association of Health Care Journalists.