A fast-paced, fictional exploration of cybersecurity and nationwide interoperability
A new healthcare IT-focused thriller written by a longtime leader in the healthcare system centers on a hack into a national electronic health records system. The novel, Coded to kill (Post Hill Press), focuses on two themes that can sometimes conflict: preserving patient privacy while pursuing nationwide interoperability.
The characters of the fictional company developing the for-profit national EHR are “prone to thinking it’s better than it is,” explains author Dr. Marschall Runge, who serves as the University of Michigan’s executive vice president for medical affairs, dean of the Medical School and CEO of the Michigan Medicine health system.
From digitized data to… murder
In Coded to killa technically feasible plot focuses on a cyber exploit that compromises patient privacy – with deadly consequences – at the fictional North Carolina-based “Drexel Hospital.”
With the hospital’s cutting-edge EHR about to “become the national standard,” nefarious characters launch a plan to compromise its data to assassinate a politician. Meanwhile, other suspicious patient deaths continue to occur.
Runge said Healthcare IT news that he got the ideas for the book from real insider data breaches committed more than a decade ago by some employees working at the University of North Carolina.
“We had all kinds of problems with people,” he said. “Faculty and staff inappropriately accessing medical records.”
Runge said he was tasked with talking to faculty — and discovered that nearly 90 people had incorrectly logged into certain data.
“And it really brought home to me that this is a big problem,” he said.
At Michigan Medicine, artificial intelligence is used to screen every medical record for improper access, Runge said.
But the problem of inappropriate system access is still a challenge at many other providers across the country, and privacy violations in healthcare persist.
“There are a lot of cases now of inappropriate hacking of medical records,” he said, noting, for example, that Change Healthcare’s breach could put up to 60% of U.S. citizens with health insurance at risk.
“There is great promise, and I think great danger, in electronic health records,” Runge said.
“The ability to look at medical records to look for patterns and trends, and especially the use of AI to broadly help us detect pandemics early,” are two examples of a positive benefit, he said.
And finding people with a rarer disease could speed up improved therapies, he added.
But having digital health records “comes at a price.” With the U.S. healthcare industry a prime target for cyberattacks, the topic of data security is “even more applicable today than when I started writing the novel” about fifteen years ago. ago, he said.
By creating medical record systems that become massive attack surfaces, there is a chance that criminals or other malicious cyber actors could discover information that could be fatal to a patient, he said.
In the Coded to killFor example, drug lists are corrupted because the goal of “underground hackers” is to physically harm their targets. Although medical records are often well protected against cyber intrusions, Runge notes, it is technically possible for a hacker to alter information.
Early in Chapter 17, characters devise a plan to test the killing power of Drexel’s EPD by erasing a patient’s genetic weakness from the system.
Another example Runge chose involved pharmacies using pharmacy robots, which have been put into use over the past five years, as a plot element.
“They’re more accurate than humans, but because the pharmacy robots are ultimately connected to the electronic health record, someone could go in there and say, ‘Marschall is in the hospital. We know he’s allergic to penicillin. Let’s get him give a big thumbs up’ shot of penicillin…and you know, he’ll die’.
In the book, the hackers also use AI to scan medical records and find medical vulnerabilities, including in patients’ genomic data.
Roots in a mixed reality
Runge, a cardiologist, started writing his thriller – which combines murder, mystery and politics – a decade and a half ago, when many hospitals still used paper records.
Since, The use of EPD is almost ubiquitous – and the idea of creating and securing a national system of real-time medical records is not as far-fetched as it once seemed.
In the book, all U.S. patient records are housed in a nationwide cloud-based EHR that uses AI to identify emerging diseases and improve care delivery.
Such an EHR could be very useful in getting ahead of a pandemic, improving decision-making for doctors across the country and potentially improving patients’ access to their complete medical records, Runge said.
When he started writing, “there wasn’t much of an idea that you could link traits to people and their diseases to their genetics and genomics,” Runge said. “That was a pipe dream when I started. Now it’s a reality.”
Runge separately asserted in our conversation that, had a national electronic health record existed, the healthcare industry would have anticipated that the COVID-19 pandemic would hit the United States months earlier.
He’s not the only person who thinks this way. The fragmentation of healthcare data has “created enormous problems,” as Larry Ellison, Oracle’s co-founder and chief technology officer, noted two years ago, shortly after his company acquired EHR giant Cerner.
During the early days of the pandemic, emergency physicians were unable to pull critical information from disparate EHR systems and public health officials had little visibility into how health care resources were being used, he noted.
“We’re going to solve this problem by putting a unified national medical records database on top of all these thousands of separate hospital databases,” Ellison promised.
Whether and when that happens remains to be seen. But for any large unified health records network or database — national or otherwise — robust cybersecurity controls must be a fundamental part of the equation, Runge said.
In reality, as well as in fiction, cybersecurity should be as much of a concern as interoperability.
“There is nothing that is not technically possible,” says Runge, “and that is why we must continue to do everything we can to build our cybersecurity around the systems.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.