Electronic health records could be a deadly target during a cyberwar

Adversaries could hack into systems to change patient data as a way to create fear in the U.S. population during wartime, a technology manager tells an Health and Human Services panel.

Most health officials worry about hackers stealing sensitive information such as an AIDS diagnosis from someone's electronic medical record, but a technology manager for a health care system in the Pacific Northwest said it's just as likely the digital files could be a target of terrorists or a nation state during war.

Countries have invested millions of dollars in computer systems to conduct a cyberwar against the United States "and the best way to do that is to destabilize the population," said Chad Skidmore, director of network services for Inland Northwest Health Services, a network of 34 hospitals in Spokane, Wash. To do that, hackers could infiltrate health systems to change patient records so misinformation will lead to deadly consequences.

Skidmore, speaking on Friday before a health IT standards committee organized by the Health and Human Services Department, said what "keeps me up night and fairly scared" is that an attacker could get into a system and, for example, change data fields that indicate patients who have an allergy to penicillin do not have an allergic reaction to the antibiotic. About 400 patients in the United States die each year from penicillin allergies, according to the Web site Wrong Diagnosis.

Skidmore said an adversary could manipulate other patient information such as blood types. Compounding his fears are findings that show health care organizations are more vulnerable to cyberattacks than other groups because the health care industry invests less in information security than other sectors of the economy, he said.

About 60 percent of hospitals and health care systems spend 3 percent or less of their IT budget on information security, according to a survey conducted in August and September by the Healthcare Information and Management Systems Society. The financial sector by comparison averages spending 10 percent of an IT budget on security.

Less than half the health organizations surveyed had a chief information security officer or a chief security officer on staff and less than half encrypted stored data, according to the survey, which Lisa Gallagher, senior director of privacy and security for the society, presented to the committee. Only two-thirds of the organizations encrypted data before electronically sending it to other parties. The group surveyed 196 hospitals and health care systems.

The survey also revealed that half of health organizations did not have a formal plan in place for responding to a data breach and nearly a third had at least one known case of medical identity theft.

Ryan Smith, assistant vice president of eBusiness, part of Intermountain Health Care in Salt Lake City, which operates 23 hospitals in Utah, told the panel that health care organizations that use cloud computing to store patient records remotely will make it increasingly difficult for hospitals to monitor and track who accesses patient records. Cloud computing also makes it difficult to fix records when the service goes offline, he said. "Who do you call when the cloud is down?" Smith asked.

Stephen Warren, deputy chief information officer for the Veterans Affairs Department, told the hearing that networked biomedical devices such as blood monitors, X-ray machines and CT scanners pose security challenges as well. He said VA recently issued a new policy that requires health care institutions to operate medical devices that run on virtual local area networks separate from other department computer systems.

Of VA's 7,300 employees on its IT staff, 450, or 6 percent, are information security officers.