A fast-paced, fictional exploration of cybersecurity and nationwide interoperability
A new healthcare IT-focused thriller, written by a longtime health system leader, involves a hack into a national electronic health record system. The novel, Coded to Kill (Post Hill Press), is focused around two themes that can sometimes be at odds: maintaining patient privacy while driving toward nationwide interoperability.
The characters at the fictional company developing the for-profit nationwide EHR are “susceptible to thinking it’s better than it is,” explained author, Dr. Marschall Runge, who serves as executive vice president for medical affairs for the University of Michigan, dean of the Medical School and CEO of the Michigan Medicine health system.
From digitized data to … murder
In Coded to Kill, a technically feasible plot focuses on a cyber exploit that compromises patient privacy – to deadly results – at the fictional, North Carolina-based “Drexel Hospital.”
With the hospital’s cutting-edge EHR about to “become the national standard,” nefarious characters launch a plan to compromise its data in order to murder a politician. Meanwhile, other suspicious patient deaths keep occurring.
Runge told Healthcare IT News that he got the ideas for the book from real-life insider data breaches perpetrated by some employees working at the University of North Carolina more than a decade ago.
“We were having all kinds of problems with people,” he said. “Faculty and staff inappropriately accessing medical records.”
Runge said he had the task of speaking with faculty – and found that close to 90 people had inappropriately logged into certain records.
“And so it really brought to my attention, this is a big problem,” he said.
At Michigan Medicine, artificial intelligence is used to screen every medical record for improper access, Runge said.
But the problem of inappropriate system access is still a challenge at many other providers nationwide, and privacy breaches continue across healthcare.
“There are many, many instances now of inappropriate hacking into medical records,” he said, noting, for instance, that the breach of Change Healthcare may have compromised up to 60% of U.S. citizens with medical insurance.
“There’s a great promise, and I think a great peril, in electronic medical records,” said Runge.
“The ability to look at medical records to look for patterns and trends, and particularly using AI to broadly help us in early detection of pandemics,” are two examples of a positive benefit, he said.
And finding people who have a rarer disease could accelerate improved therapies, he added.
But having digital medical records “comes at a price,” With the U.S. healthcare sector now a prime target for cyberattacks, the topic of data security “is even more appropriate today than it was when I started to write the novel,” about 15 years ago, he said.
Creating medical records systems that become vast attack surfaces allows for the chance that criminals or other cyber bad actors could uncover information that could be lethal to a patient, he said.
In the Coded to Kill, for example, drug lists are corrupted, because the goal of “subterranean hackers” is to physically harm their targets. While medical records are often well protected from cyber intrusions, Runge noted, it is technically possible for a hacker to change information.
At the beginning of Chapter 17, characters cook up a scheme to test the killing capacity of Drexel’s EHR by erasing a patient’s genetic weakness from the system.
Another example Runge chose was around pharmacies using pharmacy robots, which have come into use in the last five years, as a plot element.
“They’re more accurate than people, but because the pharmacy robots are ultimately connected to the electronic medical record, somebody could get in there and say, ‘Marschall is in the hospital. We know he’s allergic to penicillin. Let’s give him a big slug of penicillin … and you know, he’ll die.'”
In the book, the hackers also use AI to scan medical records and find medical vulnerabilities, including in patients’ genomic data.
Roots in a mixed reality
Runge, a cardiologist, started writing his thriller – which mixes murder, mystery and politics – a decade and a half ago, when many hospitals were still using paper records.
Since then, EHR use is near ubiquitous – and the idea of creating and securing a national system of real-time medical records is not as far-fetched as it may have once seemed.
In the book, all U.S. patient records live in a nationwide cloud-based EHR that leverages AI to identify emerging diseases and improve care delivery.
Such an EHR could be very useful in getting ahead of a pandemic, improving decision-making for doctors across the country and potentially improving patients’ access to their complete medical records, Runge said.
When he started writing, “there wasn’t much of the notion that you could connect attributes to people and their illnesses with their genetics and genomics,” Runge said. “That was just pie in the sky when I started out. Now it’s a reality.”
Runge separately asserted in our conversation that, if a national electronic health record had existed, the healthcare sector would have foreseen that COVID-19 pandemic was hitting the United States months before it did.
He’s not the only person who feels that way. Healthcare data fragmentation has “caused tremendous problems,” as Oracle cofounder and Chief Technology Officer Larry Ellison noted two years ago, shortly after his company acquired EHR giant Cerner.
During the early days of the pandemic, emergency doctors were unable to retrieve critical information from disparate EHR systems and public health officials had little visibility into how care resources were being used, he noted.
“We’re going to solve this problem by putting a unified national health record database on top of all of these thousands of separate hospital databases,” Ellison pledged.
Whether and when that occurs remains to be seen. But for any vast unified network or database of medical records – national or otherwise – robust cybersecurity controls must be a foundational part of the equation, said Runge.
In reality, as well as in fiction, cybersecurity must be as high a concern as interoperability.
“There’s nothing that’s not technically possible,” said Runge, “and that’s why we have to continue to do everything we can to build our cybersecurity around the systems.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.