Electronic Health Records Give Way to Disasters and Dangerous Intrusions
What if your doctor had no clue what he last ordered for you and no ability to order anything else? This is what can happen when an electronic health record (EHR) system crashes.
In 2006, the EHR system at a major hospital crashed. One senior internist, reports the Washington Post, “walked in to find no records on any patients.” He said, “It was like being on the moon without oxygen.” While doctors struggled to keep patients alive, employees from the EHR vendor “ran around with no idea how to work their own equipment.” The internist emphasized, “I didn’t go through all my training to have my ability to take care of patients destroyed by devices that are an impediment to medical care.”
Yet, despite this danger to patients, in 2009 Congress mandated that all doctors and hospitals buy and use EHR systems by January 1, 2014, or face significant financial penalties. Thus, more than 80 percent of physician offices and 99 percent of hospitals use EHRs today.
As doctors and hospitals raced to meet the deadline, shutdowns escalated. In 2011, the EHR system of the University of Pennsylvania Medical Center was shut down for more than 14 hours. The outage affected nearly all its hospitals in the region. Dr. Scot Silverstein told the Pittsburgh Post-Gazette, “What occurred here was a disruptive, potentially dangerous major malfunction of a life-critical enterprise medical device.”
Cerner, an EHR provider, has systems in 3,750 practices and 2,650 hospitals. But in July 2012, its nationwide EHR system was down for several hours. It appears a single keystroke error took down mission- and patient-critical systems.
In August 2013, the nearly $1 billion EHR system built by Epic at Sutter Health in California collapsed for an entire day. Doctors and nurses were left with no patient information, including doctors’ orders, medications, allergies, and vital statistics.
A hardware glitch in December 2015 shut down the EHR of Hospital Corporation of America in Florida with 50 hospitals and 37 surgical centers. And after Maryland-based MedStar Health System was hacked in 2016, it shut down the EHR system operating at 10 hospitals and 250 outpatient facilities. Hospital staff reverted to paper charts and records.
In early 2018, a SamSam ransomware attack affected the Allscripts EHR, impacting care for 7.2 million patients, reports HHS. In July 2018, Cass Regional Medical Center in Missouri also experienced a ransomware attack. For seven days, the EHR system was shut down and ambulances with trauma and stroke patients were diverted to other hospitals.
Dean Sittig, a biomedical informatics professor at the University of Texas Health Science Center, authored a 2014 report on how often EHRs shut down. Seventy percent of the 50 large, integrated systems he surveyed “had at least one unplanned downtime greater than eight hours in the last three years.” Three of those institutions reported one or more patients injured as a result.
Sittig says, “It’s getting to be so that the computer is driving a lot of what we do in healthcare, and if the computer isn’t working, that can open all kinds of potential for patient harm. And one of the things that can happen is the computer doesn’t work at all. No screen. No data. Nothing.”
The hacking of health-data systems has also increased sharply. An online list of reportable breaches is kept by the federal HHS Office for Civil Rights. For example, in 2015 more than 100 million records were breached. IBM called it “the year of the healthcare security breach.” These breaches included Anthem, the nation’s second-biggest health insurer, as well as Premera Blue Cross.
One expert states, “Such targets are particularly vulnerable because they cannot afford to be paralyzed for a long time (either because their data has been encrypted or because they shut down the system to avoid spreading the infection) and prefer to pay the ransom.”
The federal government fares no better. In July 2015, Americans learned that information on 21.5 million federal workers, including 1.1 million fingerprints, later expanded to 5.6 million fingerprints, were accessed. Hackers took sensitive information collected during background checks, such as drug use, criminal convictions, mental-health issues, gambling problems, drinking problems, bankruptcies, and the names and addresses of foreign relatives.
Across industries, the average cost of a data breach is $4 million. The average global cost per record is highest in health care, at $355 per stolen or lost record. Additionally, the fines imposed by HIPAA on organizations that suffer data security breaches only add to the cost of recovery and do little to compensate the individuals whose privacy may have been lost forever.
These many examples are evidence that the electronic health record mandated by Congress has allowed hospitals to be hijacked -- and is putting every patient and their privacy at risk.
Twila Brase, RN, PHN, has been called one of the “100 Most Powerful People in Health Care.” She is president and co-founder of Citizens’ Council for Health Freedom and author of the new book, “Big Brother in the Exam Room: The Dangerous Truth About Electronic Health Records.”