Cybersecurity attacks are becoming more common in the healthcare industry, and new attacks could manipulate patient and device data in a way that would have immediate, potentially life threatening results, according to a new study.
The study, published this month in the New England Journal of Medicine, acknowledges the damage of previous attacks like the WannaCry ransomware attack, but calls to attention the potential damage that could be done in future attacks where disruption and stolen patient data aren’t the central target.
The study implied that while attacks which result in breaches of protected health information were dangerous, it said that manipulation of patient data could be “even more damaging.”
“An attacker with access to a laboratory system could modify data — changing potassium values, for example. Unsuspecting health care providers could react to the falsified potassium values, providing treatment that could harm the patient. Radiology protocols, diagnostic reports, genetic data, progress notes, and electronic prescriptions — the list of possible targets goes on. Protecting our information systems and our health data is critical to ensuring the safe delivery of health care,” study authors wrote.
Nearly 90% of health care organizations surveyed were found to have suffered from a data breach over the past 2 years, according to the study, while 64% reported a successful attack targeting medical files in 2016, up 9% from the previous year.
While there were multiple causative factors for the increase, the study said that some of those factors included low organizational vigilance, inadequate staffing and funding for IT security, insufficient tech investments and the value of healthcare data.
Study authors warned that protecting against such threats is complex, and “there is no silver bullet,” but said that there were steps to be taken to reduce risk. Those steps included using modern, best-practice security practices including data encryption and software protection, practical and intelligent use of tech and education of healthcare employees.
“Unfortunately, no system can guarantee complete security. As long as there is value in information, there will be attacks against the systems that secure it — information systems are fundamentally vulnerable. Nevertheless, if we acknowledge the public health implications of information security, we can improve dialogue, implement necessary protections, and minimize the impact on patient care,” study authors wrote.