We live in interesting times, to be sure, and by interesting, I mean strange. Recently, hackers took Colonial Pipeline’s information technology hostage. In exchange for returning control of the pipeline to the company, the hackers ransomed the code to restore services. The interruption in operations caused much of the Eastern United States to experience a brief shortage of gasoline. Services were restored after the company paid the ransom.
Taking hostages for ransom is as old as time itself. Julius Caesar was taken hostage by pirates. During his captivity, he arranged to have his kidnappers’ demands not only met but exceeded because he felt he merited a greater amount than they requested. Once freed, Caesar raised a navy, hunted the kidnappers down, and had them crucified. These two examples—Colonial Pipeline and Julius Caesar—give us everything we need to know about extortion and how to deal with it. And yet, healthcare is different.
The healthcare sector is a prime target for ransomware attacks, for three reasons. First, information technology is critical to operations that are critical to saving human lives. Therefore, any prolonged downtime for an electronic health record system can create real-life hostages whose lives are put on the clock. Second, health information technology is particularly vulnerable to phishing attacks because of the significant number of e-mail users who do not fully appreciate cybersecurity concerns. With more users of information technology come greater risks of an attack. Lastly, the incentives to pay ransoms and keep those payments secret are not trivial. In addition to the embarrassment they bring, such breaches could compromise confidential information and be construed as HIPAA (Health Insurance Portability and Accountability Act) violations.
The standard ransomware attack disables systems until the ransom is paid. More problematic attacks take information from systems and threaten individuals in two ways. The first is to steal identities and expand the attack to another front. Medical records and bills contain all of the information people need to steal an identity. The second threat is to extort both organizations and individuals by making private and personal records public. Such was the case in 2014 when Sony Pictures suffered an e-mail system hack. As one can imagine, individuals’ health information can be both valuable and embarrassing. Las Vegas bookmakers would bet the house if they alone knew the health status of star athletes. Hollywood gossips would pay to know and publish who has “had work done.” The upshot is that healthcare organizations can expect more, not fewer, attacks despite the Colonial Pipeline extorters’ promise not to attack healthcare, education, and other socially virtuous endeavors. After all, even if they don’t do it, someone else will.
The first and best defense against extortion is to not be taken captive in the first place. That is easy to say but hard to do. Most high-value attacks come through human failings. In particular, phishing attacks target individuals’ propensities to click on external links that give hackers access to their systems. The next best defense is to accept the inevitable and build a system that can be relaunched with a minimal loss of data, but some ransomware anticipates that response. The last option is to pay the ransom.
The long history of ransoms proves that the more often they are paid, the more often they will happen. Law enforcement and economists both advise against paying for things we do not want to promote. So, what is to be done?
Accepting the reality that ransoms will be paid, healthcare organizations ought to share information about their experiences in a transparent, systematic way. A program like that used by the airline industry to establish a recrimination-free means of sharing information about information technology incidents needs to be created. Unfortunately, healthcare has tried such programs before in the reporting of medical errors, and the results have been lackluster. Cross-organization collaboration is not something that healthcare always does well. Nevertheless, it is an idea that ought to be explored. Many readers of this publication are in a position to take the lead. For all our sakes, please do.
This issue of the Journal of Healthcare Management opens with an interview. Mary Ellen Pratt, FACHE, CEO of St. James Parish Hospital in Lutcher, Louisiana, was gracious enough to share some time and tell her story. She has taken what is, in many respects, an ideal career path that has led her to national recognition in rural healthcare leadership. She describes her various strategic career decisions and illustrates the importance of having a clear vision of one’s own future and values.
The yearlong Essential Innovation series continues with a timely discussion of high-reliability organizations (HROs) provided by Donald M. Bradshaw, MD, FACHE, FAAFP, and Stephanie Keyser of Booz Allen Hamilton. Given the ongoing battle with cybercrime, the first pillar of an HRO—focusing on risk—is apt advice.
The Great Comebacks series continues with a column by Beth A. Lown, MD, FACH, chief medical officer of The Schwartz Center for Compassionate Healthcare in Boston, Massachusetts. She explains how the center’s Stress First Aid program has helped healthcare organizations support their workforce through the COVID-19 pandemic. Her piece nicely complements the research article by Katherine A. Meese, PhD, and colleagues that also appears in this issue.
One of our annual endeavors is to present student works that are recognized during the American College of Healthcare Executives (ACHE) Congress on Healthcare Leadership. The first-place winner in the graduate division of the 2021 ACHE Richard J. Stull Essay Competition in Healthcare Management is Emily E. Johnson of the University of Minnesota’s School of Public Health. Her essay looks at strategies to reduce health disparities. Helen Callie Ball of Texas State University’s College of Health Professions is the undergraduate division winner. She tackles a topic that continues to grow in importance: new ways that computer technology can improve care. She looks at artificial intelligence, machine learning, and natural language processing. It is a nice primer on all the applications.
The first research article comes from Jessica Perez, DBA, of the University of Maryland. Her exploration of where healthcare leaders’ experiences should be drawn from and how they are realized is timeless. We continue to see clinical professionals moving into administrative roles and searching for a leadership style that will help them succeed. In particular, the idea of authentic leadership continues to draw attention.
As mentioned earlier, Meese and colleagues from the University of Alabama at Birmingham (UAB) and UAB Medicine—Alejandra Colón-López; Jasvinder A. Singh, MD; Greer A. Burkholder, MD; and David A. Rogers, MD—quantify the many factors that can exacerbate or mitigate stress among healthcare professionals. Their findings, presented here, are both alarming and thought-provoking.
Hopefully, this summer, you are finding a way to beat both the heat and stresses of everyday life in healthcare. Moreover, we hope you are keeping your health information systems safe and sound.