Cyber attacks in the form of malicious hacks and data breaches in health care can create patient safety risks. As more health care organizations adopt interconnected health IT systems, flaws in system design, interface issues, and user negligence can result in adverse patient events. Most often, these events come from:
- errors of commission — accessing the incorrect record or overwriting critical information;
- errors in transmission — in which patient data may be lost or is not available; and
- errors in data collection and analysis from incompatible systems.
Errors and omissions exposure
For certain health care entities, third-party financial damages occur when technology products or services fail to perform as intended or expected. Delay or deficiencies in technology-dependent patient care affects patient outcomes. The FDA has received hundreds of reports of health information technology (HIT) related errors/malfunctions with the potential for patient harm, including death.
If a medical practice also provides HIT services or products to others for a fee or for other consideration, the practice is considered a service provider or technology firm too. These are typically a combination of IT client services that include computer consulting, data processing, software programming or development, and hosting, managing or administering computer systems/infrastructure of others.
The products they offer can include creating, designing, or distributing computer hardware, software, or electronic telecommunications and wireless equipment.
A practice’s technology services or products can cause errors and omissions (E&O) in their advice, evaluation, and design that could lead to third-party claims, including bodily injury to others.
Here are a few examples.
- A transplant patient undergoes lab testing and a critical test result indicates possible transplant rejection. This is reported to the laboratory information system, but not to the transplant surgery database because the interface between the two systems only allowed for certain lab results to enter the transplant database.
- An admitted patient does not receive his prescribed psychiatric medicine for nearly three days because the hospital pharmacy’s software was programmed to automatically discontinue orders for certain drugs after a fixed time. There was no alert to let the patient’s care team know the drug order had been suspended.
- As a surgeon views a patient’s radiology study from a PACS system in the OR, the display flips to a blue screen. The patient’s time under anesthesia is extended while OR staff try to get the display working.
- A software malfunction causes a server to crash, and the nursing notes for an entire shift temporarily vanish.
- Improperly merged patient data results in the wrong treatment provided to a patient.
- Due to a system interruption, a physician is unable to obtain a patient’s electronic records at critical point of care, and a diagnostic error occurs.
- A clinical decision-support tool wrongly recommends a dangerous combination of drugs to a physician who then prescribes them and it results in a patient’s death.
Practices that also act as an IT firm or IT service provider must have the proper expertise. Even though many contracts contain hold harmless and indemnification clauses, “promises” are often made in advertising and contracts about the technology services or products provided. This can lead to unintentional breach of contract claims.
Cyber liability exposure
Cyber attacks can also lead to data privacy breaches for health care entities. A ransomware attack that encrypts data is a “security incident” under the HIPAA Security Rule. This type of attack can also compromise ePHI by deleting the original data and leaving it in an encrypted form. These types of breaches can also result in:
- direct costs for breach support expenses, such as legal fees, forensics, notifications, identity theft restoration, and credit monitoring for affected parties;
- business interruption loss of income and incurred extra expenses;
- third-party liability claims or lawsuits; and
- vicarious liability for third-party damages, including regulatory fines or penalties.
For this reason, it is vitally important to have a financial contingency plan in place that includes comprehensive cyber insurance and technology errors and omissions insurance with appropriate limits of liability.
According to the Wall Street Journal, faulty technology and user error are the leading factors contributing to patient harm.
“Health systems have swelled increasingly large and have millions of patients in their records. One result is that these records often contain thousands of people who share the same name and date of birth with at least one other person in the system—in one extreme case, more than 500 women in one system have the same name and were born on the same day [Harris Health System in Houston has 528 ‘Maria Garcias’ with the same date of birth]. That and other record-keeping challenges mean it’s easier than ever for patients to be misidentified and given the wrong care.” 1
Most lawsuits involving patient safety and technology have been handled as malpractice cases, as plaintiff’s attorneys typically sue physicians and hospitals alleging standard of care violations. But that could change to also targeting the technology provider, as plaintiff’s attorneys become more knowledgeable about health IT and the role it plays in patient safety.
1. Gormley B. “Tech May Cure Patient ID’s Woes: Hospitals are using biometric systems to overcome the problems that plague identification.” The Wall Street Journal. February 7, 2019.
About the AuthorVisit Website More Content by John Southrey