Making Ethically Based Decisions: Lessons from MedStar Health Cyber Attack

Healthcare leaders are regularly faced with decisions that require ethical thinking and analysis. Using a systematic framework will aid in this process.

Editor's Note: An earlier version of this commentary incorrectly described MedStar's response to a "ransomware" attack last month. The health system declined to pay the ransom, according to a hospital spokesperson.

There has been an increasing number of cyber threats and “ransomware” attacks on healthcare information systems. The increase in ransomware has quickly become a priority for the Federal Bureau of Investigation’s Cyber Division as they have released reports on the matter and issued alerts advising higher levels of vigilance to help mitigate further attacks.

Reports of these online attacks now account for upwards of $150 billion in costs per year. The matter is even more complicated for health systems as they work to safeguard health information and comply ethically with HIPAA regulations.

Ransomware is a software virus that infiltrates systems and requests owners pay a “ransom” in the form of the online currency Bitcoin. The most recent well-publicized attack took place at Georgetown University’s affiliated hospital system; MedStar. The MedStar infiltrators reportedly requested a ransom of about $18,000 and reports gathered from employees stated that they received messages requesting payment in order to restore access to information.

In this case, the health system has said it declined to pay the ransom. Instead, MedStar's administration made the quick decision to disable all system interfaces in order to limit the spread of the virus. The health system reported its computers were back up to 90% functionality within a few days of the attack.

It is the health system’s duty to protect patient information and the decisions made in these situations have widespread implications—loss of information would have potentially affected countless families and employees associated with the system.

The following is an excerpt from the statement issued by MedStar Health’s Executive Vice President and CMO:

“Despite the challenges affecting MedStar Health’s IT systems, the quality and safety of our patients remains our highest priority, which has not waned throughout this experience. Fortunately, the core ways in which we deliver patient care cannot be altered, manipulated, or harmed by malicious attempts to disrupt the services we provide,” … “Our ability to serve our patients and their families depends first and foremost on our caregivers, and their expert knowledge and compassion focused on each patient.”

I recently wrote about lessons that are helpful when reacting to a crisis. Those same lessons would apply in this situation as well. When reacting to a situation with widespread implications, it is prudent to start by focusing and reacting to facts. The health system has a mission and duty to care for its customer, in this case the patients within its care.

Resources for Ethical Decision-Making

Luckily, there are frameworks to aid in the process of making ethically based decisions.

The benefit of having a framework is that you can immediately begin by systematically analyzing the issue, and assessing the potential risks and harms in a coordinated fashion. In this case, there is risk to both the health system as well as its patients due to health information typically having more than just private health information. In addition, a security breach would put patient social security numbers, home telephone numbers, and physical addresses as risk.

The stakeholders (the patient population) would most likely prefer that health systems take all necessary steps to safeguard their privacy and would advocate that the ransom be paid.

However, decision-makers must take into account the good of the community and public institutions, in addition to the preferences of the individuals affected.

Below is the Stepwise Ethics Approach for Public Health Decision-Making from the Centers for Disease Control and Prevention:

1. Analyze the issue.

> Are there risks and harms of concern?

> What are the overarching goals?

> What are the moral claims of the stakeholders?

> Is the source or scope of legal authority in question?

> Are there precedent cases of relevance?

> Do professional codes of ethics provide guidance?

2. Design and ethically evaluate alternative options.

> Utility — Is there a balance of benefits over harms?

> Respect for individual and community — Is there respect for individual autonomy, liberty, privacy?

> Justice - Are the burdens and benefits fairly distributed and are affected groups given an opportunity to participate in decision making?

> Respect for public institutions — Is there respect for civic roles and duty for integrity, protection of confidentiality, and protection of vulnerable populations from undue stigma?

3. Justify the decision for public health action.

> Effectiveness — Will the goal or action be accomplished?

> Proportionality — Will the benefit of the action outweigh moral considerations?

> Necessity — Is the overriding conflicting ethical concern needed to achieve public health goal?

> Least infringement — Is this the least restrictive and intrusive approach?

> Public justification — Can the action or policy be justified based on principles in the code of ethics that the community and those affected could find acceptable in principle?

Another resource available to you is The American College of Physicians Ethics manual.

The issue before MedStar's health systems and others is how to act in a way that upholds “the rights of individuals within the community.” Unfortunately, the nature of the ransomware software meant officials had to make a decision within a very short time frame after being notified of the threat. MedStar quickly implemented safeguards that protected the parties concerned from any further harm. The health system worked in accordance with the FBI, and took all necessary steps to maintain the trust of those within their care.

Ethical decisions regarding protected patient information should be made in a timely manner and in accordance with an accepted health ethics decision-making framework. The principles that best aligned to the decisions at hand were maintaining the respect and rights of individuals, maintaining communication with stakeholders, acting in a timely manner, protecting confidentiality, ensuring professional competence, and collaborating with appropriate agencies to solve the issue. The next steps would be implementing preventive measures by working to educate employees and staff on how to mitigate and prevent further attacks on the systems infrastructure.

Follow @ChiwesheMD