Technology’s crossover into most aspects of healthcare brings new possibilities in prevention, treatment and continuous care. But sometimes, too, it raises unique issues that need to be addressed by regulatory or legislative oversight.
Recent headlines from opposite ends of the U.S. highlight new laws at the state level — but with implications that could soon apply more broadly.
The rise of ransomware
Ransomware attacks, in which hackers disable computer systems and demand payment before allowing victims to regain access, would be prosecuted as cyber-extortion under a bill advancing in California’s legislature.
The bill heads to the state Senate’s appropriations committee with strong support. It follows a high-profile case that ended in February with Hollywood Presbyterian Medical Center paying a $17,000 ransom in bitcoin to a hacker who had shut down the 434-bed hospital’s systems.
“The malware locks systems by encrypting files and demanding ransom to obtain the encryption key,” Hollywood Presbyterian CEO Allen Stefanek told the Los Angeles Times. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
The office of California State Senator Bob Hertzberg cited FBI statistics stating that hackers collected more than $209 million in ransomware payments in the Untied States during the first quarter of 2016.
Shortly after the Hollywood incident, computers at the Los Angeles County Department of Health Services were infected with a data-blocking program, the Times reported. In that instance, the agency refused to pay ransom and isolated infected devices on its own.
In a separate case in late March, MedStar Health, which operates 10 hospitals in the Washington, D.C. area, acknowledged on Facebook that a virus prevented certain users from accessing email and electronic patient records. MedStar opted to take down all system interfaces to prevent the virus from spreading and reported there was no evidence that information had been compromised. However, the health system had to utilize paper transactions where necessary.
Another malware attack last month at Methodist Hospital in Henderson, Kentucky, locked users out of electronic web-based services. A spokesperson said no patient data was impacted, but IT had to shut down all of the hospital’s desktop computers and scan each for infection before restoring operations. As in the MedStar case, the facility chose not to pay ransom but incurred time costs in resorting to paper-based back-up systems.
New York makes e-prescribing mandatory
Electronic prescribing for controlled and non-controlled substances became mandatory under New York state law on March 27. The e-prescribing edict, part of the state’s Internet System for Tracking Over Prescribing law, carries possible civil/criminal penalties or fines for non-compliance. The measure is intended to reduce prescription theft and forgery, as well as “doctor shopping” by patients.
Of particular note for electronic prescribing of controlled substance (EPCS), the law requires additional security features and registration of certified software with the Bureau of Narcotic Enforcement (BNE).
A year ago, the New York Department of Health sent a letter to prescribers cautioning that “implementation timelines for EPCS software vary and may be lengthy.” The agency strongly recommended immediate action in obtaining and registering certified EPCS software, which in many cases may be part of a commercial EHR system.
According to health information network Surescripts, more than two-thirds of active e-prescribers in New York are EPCS-enabled after a large surge earlier this year.
But even though providers may apply for a waiver from the EPCS requirements under specified circumstances (including technology limitations), physicians and organizations using systems from small EHR vendors may still be out of compliance. Achieving certification is “a bit of a heavy lift on the EHR side,” Surecripts Senior Vice President Ken Whittemore told Health Data Management.
Additionally, BNE approval requires completion of EHR updates, identity-proofing of prescribers, two-factor authentication for prescription signing, and establishment of secure access controls, noted Whittemore.
Keeping the focus on care
The delivery of healthcare shouldn’t be derailed by security threats from outside agents. Nor should it be burdened with technology implications stemming from otherwise well-meaning requirements.
At NetDirector, we stay current with issues that could affect compliance in these areas, so that providers can focus on delivering superior care. Our solutions implement high-level integrations that insulate organizations from cyber-hazards and enable core systems to function as intended — and, in some cases, as required by law or regulation.