Safety held for ransom
As ob/gyns, we are incredibly dependent upon connected devices. For example, most labor and delivery units utilize networked electronic fetal monitoring allowing for centralized monitoring of patients. If a cyber terrorist were to propagate a loop of tracings instead of allowing for a live-feed of tracings, it is quite possible that the observers would be unaware of such an attack and the lives of mothers and babies could be at stake. With respect to the aforementioned infusion pumps, it is possible the Pitocin could be delivered at dangerous levels, again putting mothers and babies at risk. The potential for harm is incredible, and we need to be cyber vigilant.
In early 2016, Hollywood Presbyterian Medical Center in Los Angeles, California, was the subject of a targeted attack in which hackers shut down the internal computer system for a ransom of 9,000 bitcoin, or almost $3.7 million.3 The hospital reported that patient care was not compromised, despite the need to abandon their electronic medical record, revert to paper documentation, and divert ambulances to other hospitals. Ultimately, the hackers accepted a ransom payment of 40 bitcoins, approximately $17,000, and the hospital regained control of its internal network.4
However, the nightmare didn’t end with the public shame of admitting that they were attacked and paid a $17,000 ransom. Because the attack likely led to unauthorized “acquisitions” of personal health information (PHI), which is protected by the Healthcare Insurance Portability and Accountability Act (HIPAA), the hospital may be responsible for not only notifying all of the potentially affected patients, but also paying a significant fine unless the hospital can prove with high probability that the PHI was not compromised. What started with a multimillion-dollar demand that was whittled down to a few thousand dollars could potentially still cost millions of dollars in penalties in the end.