As electronic options to provide and access patient
health information increase, so too can opportunities for hackers to steal that information or hold it
hostage if medical professionals do not maintain and
upgrade their cybersecurity.
“Imagine having your electronic health record,
computer and internet unavailable to you,” said
Marvin B. Harper, M.D., FAAP, chief medical in-
formation officer at Boston Children’s Hospital and
a member of the AAP Council on Clinical Informa-
tion Technology. “Many clinicians would find it very
difficult to optimally care for their patients in such
a scenario. Now imagine that there is a ransom you
must pay to regain control of your systems.”
Such a scenario played out in May, when thou-
sands of health care systems in over 150 countries
were victims of the WannaCry ransomware attack.
Those affected received a message on their computers
saying their documents, photos, videos and data-
bases had been encrypted, and they needed to pay a
ransom in bitcoin to recover the files. A cybersecu-
rity researcher discovered how to disable the virus,
slowing the spread of the ransomware.
Another global ransomware attack known as Petya
spread through large companies in June.
Cyberattacks in the health care industry can impact individual patients by disrupting continuity of
care and compromising their personal data such as
names, social security numbers and home addresses. Public health can be affected as well as if entire
systems are shut down and data are held for ransom.
The health care industry may be more vulnerable
to cyberattacks than other industries because of the
wide variety of data within health care organizations.
In addition, large numbers of legitimate users can
lead to more opportunities for errors, leaving systems
vulnerable to hacking. Small pediatric practices may
be especially vulnerable to cyber threats if they have
limited financial resources to keep up with recommended security upgrades.
“We live with the reality that it is not a question
of whether our systems will be attacked or hacked
but when and how bad it will be,” Dr. Harper said.
Federal rules require physicians to report data
breaches to the Department of Health and Human
Services (DHHS) Office of Civil Rights (OCR)
report.jsf. Experts in cybersecurity and data breaches
have suggested that up to half a million children’s
medical records are for sale illegally. However, OCR
reporting records for pediatric patients are below
that number, suggesting that many health care providers may be unaware that their patient data have
Stolen medical records can be used for a variety of
criminal activities, including medical identity theft,
financial identify theft and tax fraud. Children can
be especially vulnerable. It may take years or even
decades for them to be made aware that their personal information has been compromised, especially
if their health care provider is unaware of a breach.
A Health Insurance Portability and Accountability
Act-compliant security risk analysis may help identify a data breach (see https://www.healthit.gov/
The U.S. government identifies cybersecurity as
a shared responsibility of all sectors that collect,
maintain and/or create data and information within
computer systems. The Cybersecurity Information
Sharing Act of 2015 mandated the DHHS to establish a Health Care Industry Cybersecurity Task
Force to address the growing threats to cybersecurity
in the health care industry.
On June 2, the task force issued Report on Improving Cybersecurity in the Health Care Industry,
which included more than 100 recommendations
Cyber TF/Documents/report2017.pdf ). The recommendations are organized within six imperatives for
public and private sector collaboration to address
1. Define and streamline leadership, governance
and expectations for health care industry cybersecurity.
2. Increase security and resilience of medical devices and health information technology.
3. Develop the health care workforce capacity
necessary to prioritize and ensure cybersecurity
awareness and technical capabilities.
4. Increase health care industry readiness through
improved cybersecurity awareness and education.
5. Identify mechanisms to protect research and
development efforts and intellectual property
from attacks or exposure.
6. Improve information-sharing of industry
threats, risks and mitigations.
The Office of the National Coordinator for Health
Information Technology (ONC) offers 10 tips for
cybersecurity in health care:
1. Establish a security culture.
2. Protect mobile devices.
3. Maintain good computer habits.
4. Use a firewall.
5. Install and maintain anti-virus software.
6. Plan for the unexpected.
7. Control access to protected health information.
8. Use strong passwords and change them
9. Limit network access.
10. Control physical access.
The use of stimulants and performance-enhancing substances among adolescents has increased rapidly over the past decade. More than
10% of adolescents have misused prescription
stimulants for cognitive enhancement, and
about 6% of high school students have used
illegal steroids for appearance or strength enhancement, studies show.
These rising concerns led to the creation of
Artificial Perfection: Talking to Teens about Performance Enhancement. The online role play
simulator was developed by the Academy and
Kognito to educate physicians on how to have
conversations with teens about substance abuse.
Users engage with three virtual teens who use
or misuse supplements, stimulants and steroids.
Physicians must identify potential risk factors
for use of performance-enhancing substances
and provide guidance on the topic, thus motivating teens to quit.
The simulation takes about 35 minutes to
complete, and users can receive continuing
medical education credit.
Artificial Perfection: Talking to Teens about
Performance Enhancement is available to AAP
members for free on desktop and can be accessed at https://aap.kognito.com.
If you would like to share a first-hand experience
using technology, such as software, program, app,
widget, etc., to improve patient care or practice
management, email submissions of 250 words or
less to Lisa Krams at email@example.com.
Learn to talk with teens
from the AAP Division of Quality
Privacy and security resources from the ONC, including
mobile device security, model notices of privacy practices
and training games, are available at http://bit.ly/2twPW8V.