Kristian Feterik, MD, MBA, FAMIA, SFHM has been a hospitalist for 20 years, and a board-certified clinical informatician for the last eight years. But the cyberattack on UnitedHealthcare unit Change Healthcare in late February that has continued to reverberate throughout the medical world was like nothing he’d ever seen before.
Dr. Feterik
It was “by far, the largest cyberattack that has affected our health system,” said Dr. Feterik, whose titles include associate program director for the University of Pittsburgh Medical Center’s Clinical Informatics Fellowship Training Program. “Even though we have multiple electronic health records in UPMC’s 40 hospitals and 800 ambulatory centers, we do have a myriad of bolt-on applications. And as you can imagine, any compromise in the technology stack can lead to a lot of immediate and delayed effects on the patient side.”
Of course, and unfortunately, cyberattacks are nothing new. But the February incident has shone a direct spotlight on the increasing frequency, sophistication, and danger of the phenomenon in a healthcare landscape increasingly dominated by electronic health records (EHRs) and other digital infrastructure.
The Hospitalist spoke to three experts to survey how practitioners and others can best prepare for the future, despite fear and forecasts for more attacks. What lessons have been learned? What can you do in the event an attack cripples your facility? And how can the specialty best prepare for that eventuality?
Dr. Patel
Perhaps the main answer to all those questions starts with diligence on personal and institutional levels.
“We really need to make sure all these digital tools we’re using are actually making patient care better,” said Mihir Patel, MD, MPH, FACP, CLHM, SFHM, chair of SHM’s Health Information Technology Special Interest Group. “But let’s say everything goes down because of a cyberattack. In that case, it’s all about what you can do with your core clinical skills. Whether it’s talking to patients, figuring out what’s wrong without EHR, or even just writing things down the old-fashioned way, doctors need to be ready to rely on their training, not just on tech. Over-reliance on technology is a vulnerability.”
What’s the big deal?
The largest worry for physicians, when a cyberattack paralyzes EHRs, medical reconciliation systems, and other processes, is that patient safety could be compromised. That could be because health records are unavailable, prescriptions sent to a pharmacy never arrive, discharge instructions get interrupted, or critical information delivered via health information exchanges freezes along the way.
Dr. Chadha
When such systems go offline during digital disruptions, hospitalists, and their staffers, typically pivot to hand-written notes, the last vestige of the pre-digital revolution. Such analog processes may seem quaint most of the time, but they provide a vital tool for continuing to deliver care, says Romil Chadha, MD, MBA, MPH, FACP, SFHM, chief medical informatics officer for UK HealthCare at the University of Kentucky in Lexington, Ky.
“I have a theory that is: If a new request comes to us, for everything that happens, people try to find IT solutions,” he said. “Which is good. It keeps us in business. But at the same time, my ground rule is if you cannot do it on paper, you cannot do it electronically.
“You have to have the proof of concept, the prototype, on paper or in your mind before you can convert an analog thing into digital workflow. Because if you are catching errors in that analog workflow, then you will not be able to build a robust, digital platform.”
Dr. Patel, the medical director of virtual medicine at Ballad Health in eastern Tennessee, as well as chair of the health system’s inpatient clinical informatics council, recalls that during his time as a telehospitalist at a CommonSpirit Health hospital, a ransomware attack significantly disrupted his EHR for several days.
“This prevented any remote access to the EHR for chart reviews or placing orders, crucial to a telehospitalist’s workflow,” he said. “We had to revert to a more traditional method of operation, relying on on-site nurses to communicate lab results and receive orders verbally over the phone, completely bypassing the EHR.
“This severely impacted patient care due to communication breakdowns, delays in diagnosis and treatment, increased administrative workload, risk of errors in medication and prescriptions, potential erosion of patient trust and hospital reputation, and a substantial financial burden on the healthcare system.”
Dr. Patel says that for hospitalists earlier in their career, working with pen-and-paper can be bewildering, as they’ve grown up, been educated, and worked only in a digital world.
“For someone who’s never had to work without an EHR system during their residency or medical training, facing a situation where it’s not available is a tough wake-up call,” he said. “For people like me, who did part of their residency when EHRs weren’t everywhere, it might be a bit easier to dust off some of those old skills.”
Dr. Patel says one potential way to train physicians on analog backups is to use scheduled breaks, as opposed to waiting for disruptions caused by cyberattacks or other emergent problems. Think of it like fire drills in grade school.
“As a national healthcare community, we aim to minimize disruptions,” he said. “Therefore, we arrange for system downtimes during less busy hours. However, it might be advantageous to conduct these drills during regular activity periods instead. This ensures everyone gains practical experience. It’s akin to performing tornado or fire drills. Organizing these drills when the facility is nearly empty might keep operations smooth, but it doesn’t teach anyone how to act during an actual emergency, does it?”
Dr. Feterik suggests institutions could even have “a downtime manual that should be the essential cybersecurity attack-mitigation procedure. But then do we need a federal or state policy or guideline for downtime procedures at a state or federal level? What do we do as a nation? How do we handle a simultaneous downtime for several health systems?”
What can I do?
The scale of cyberattacks that affect hospitals nationwide can feel too broad to combat from one computer. But that’s not true, as information technology (IT) professionals and others constantly preach.
Take something as seemingly simple as passwords, for computers, websites, or phone applications.
“Access should be limited strictly to those who truly need it,” said Dr. Patel.
Also, healthcare practitioners should not assume that their IT staff has already weeded out unsafe missives, so they need to be diligent there as well, the same as any worker with access to a corporate email system.
“Merely by clicking on a link in an email, you could inadvertently open a gateway for unauthorized access to your system,” Dr. Patel said. “It’s crucial to recognize phishing emails and report them immediately to your cybersecurity team or department. Given the volume of phishing attempts we receive daily in a health system—with perhaps 10,000 to 15,000 employees—consider how long it might take for your cybersecurity team to respond once the threat is identified. Time is of the essence, not just in terms of financial cost, but more importantly, regarding patient care and safety.”
A financial incentive
Another major danger highlighted by the Change Healthcare incident was the impact on billing. Given the fiscal nature of healthcare where services rendered are paid for at a later—sometimes much later—date, anything that paralyzes payment procedures is a problem.
To wit, The Washington Post last in March reported that the Centers for Medicare & Medicaid Services “would offer emergency funding to physicians, physical therapists, and other professionals that provide outpatient healthcare, following a cyberattack that crippled the nation’s largest processor of medical claims and left many organizations in financial distress.”
“On the Medicare side, it’s a good act,” Dr. Feterik said. “However, I have not seen if perhaps this will be followed immediately by other private health insurers. Because I imagine from their perspective, from a business perspective, this can be a liability, as well, to fly blind and say, ‘I’ll trust the fact that you still have the benefits,’ especially if the effect of the attack is lasting for weeks.”
AI: friend or foe?
Dr. Feterik says cyberattacks are even more concerning these days because of the growing prowess and functionality of artificial intelligence (AI) and large language models like ChatGPT.
“Someone just recently demonstrated that they could do audio jacking,” he said. “Just like the way you and I are speaking right now, there can be a so-called ‘man in the middle attack’ where you can essentially take what you say, run it through a large language model, and what I hear on my end is your voice, but not your words, it’s a text-to-speech generator that is actually altering what you are saying. Unfortunately, I’m a little pessimistic, and I think cyberattacks may get worse in the future.”
Dr. Patel says artificial intelligence cuts both ways. While threats are increased, so is the capacity for privacy or security.
“With predictive analytics, we can foresee cybersecurity threats by analyzing patterns in internet traffic before they even occur,” he said. “This is one of the positive aspects of AI. It enables the automation of monitoring and responses, offering round-the-clock surveillance of healthcare networks and swiftly addressing potential security breaches.”
Dr. Patel adds that using AI to buttress the efforts of IT staff means that the technology can also shut down.
“Used proactively by healthcare systems, it can be a powerful defense,” he said. “We must stay ahead of those who seek to use AI for malicious purposes.”
Richard Quinn is a freelance writer in New Jersey.