School of Public Health and Community Medicine

WannaCrypt, My Health Record and new frontiers in health security

image - Cyber


Raina MacIntyre

15th May 2017


The largest ransomware attack in history has crippled the NHS in the last few days, and hospitals worldwide have increasingly been targeted for hacking. In the NHS, as a result of the hack, not only were patient records inaccessible and patient care dangerously disrupted, but surgery cancelled and ambulances diverted. The full impact on the lives and health of British people is not yet clear. 

Electronic health records are viewed by many as the holy grail of modern health care – a centralized record of a persons medical history, medications, procedures, and other clinical data.  If patients have multiple doctors and specialists, or complex conditions, an E-Health record can ensure continuity of care, appropriate prescribing and fewer errors of care.  In a medical emergency, relevant health information can be accessed quickly.  

For medical researchers, the E-health record facilitates research which can help improve medicine and medical care. One of the ways in which E-health records are used in medical research is through data linkage. For example, a study that linked Medicare patient records to cancer data showed that exposure to CT scans in childhood increases your cancer risk. 

Technology which can benefit humans usually can also cause harm.  This is called dual-use technology, and applies to the E-health record and data linkage.  In 2014, the US Office of Personnel Management was hacked, compromising over 20 million Federal employees. Around the same time, the largest provider of health insurance to US government employees, Anthem Health, was also hacked. Both attacks, targeting federal employees, were thought to be initiated by a hostile foreign government or group.  If perpetrated by the same group, data linkage allows the hostile group to create a health profile for US federal employees. The hostile power would know for any chosen target what illnesses they suffer, their medications, who their doctor is, when they are scheduled for surgery.  It is only a short leap to imagine the risks to high profile federal employees. 

This risk has been recognized in the area of connected digital technologies such as pacemakers and insulin pumps. Former US Vice President Dick Cheney had his pacemaker wireless function disabled to mitigate the risk of hacking. Hacking of health records opens up other potential harms to individuals such as medication security, hospital and health system security and enabling of targeted medical murder.  This is a concept that is not within our discourse or awareness, but is certainly technologically possible, especially when we think about instances like the OPM and Anthem health hacks and the assumed motives of the hackers to harm or disable US federal employees. Fatalities have occurred through contaminated medications and vaccines, whether accidentally or otherwise.  If organized crime groups gain sensitive medical information on police, government officials or judges through hacking, it may be a more attractive option than more obvious methods of murder or incapacitation.

While the world grapples with the latest ransomware hack, a budget announcement was made that My Health Record will be rolled out nationally in 2018 as an opt-out system. This means that if you do not opt out, your personal health information will automatically be digitized. The backdrop to this, national E-health strategy presents an optimistic view of the benefits of E-health, acknowledges relatively poor health IT systems and a shortage of IT skills, but fails to mention the risk to health security posed by hacking.  There has been no comprehensive risk analysis of the universal electronic health record, and it is clear from escalating hacks of government systems worldwide that information systems have not kept pace with quantum advances in cyber technology. Simultaneously, the government has invested in cyber security and recognized the threat it poses to national security. Yet somewhere, the dots have not been joined about how My Health record fits within this risk landscape.


Add new comment

Please verify that you are not a robot.