There has been a newfound effort to highlight and address the disparity in health outcomes for patients who belong to one or more marginalized communities. Opportunities for health and wellness are dictated by social, economic, environmental, and systemic factors, not by factors that are inherently genetic or physiologic. This means that the color of one’s skin, what ZIP code they are born and live in, the education they receive, the food and housing they have access to, and the jobs they hold are the primary drivers of one’s wellness and health outcomes.
It stands to reason that anything that further exacerbates the chasm of economic and systemic opportunity will result in additional hurdles to achieving health equity. This creates a tremendous opportunity to apply the lens of health equity to the numerous strategic imperatives a healthcare delivery organization is already prioritizing. We can still implement initiatives that address the foundational stability of health systems, and the opportunities for innovation and evolution of care, while also accounting for the often-unintended consequences they may have. Rather than silo health equity as a clinical issue, it should be woven into the fabric of all work that has the potential to impact our patients from an environmental or economic standpoint. Given the direct impact ransomware and data breaches can have on the physical, mental, and emotional health of our patients, for example, we would be remiss to exclude cyberattacks from the ways we view opportunities and challenges to address the root causes of health disparities.
Cybersecurity as a top priority
Ransomware attacks on healthcare delivery organizations have doubled between 2016 and 2021, with a 94% decrease in time to encryption of data. The exposure of ever-larger amounts of personal health information—and the sophistication and frequency of attacks are only expected to rise further – potentially creates quite literal life-and-death situations. Electronic health records (EHR) encryption, ambulance diversion, delays and cancellations of appointments and surgeries all contribute to negative health outcomes. Time is always of the essence when it comes to care delivery, so it isn’t surprising that there are untoward consequences to patients from data breaches and ransomware attacks that impede operations. The full impact to health outcomes is challenging to quantify, but already studies show a rise in 30-day mortality for patients who present with myocardial infarctions during a cyberattack. What is surprising is that this 30-day mortality rate stays elevated long after the data breach occurred due to the mitigation efforts to rectify the vulnerabilities. The very measures put in place – longer authentication processes, faster auto-logout times, frequent and longer password changes – make it harder to provide care when minutes can matter the most.
As if the chaos of a ransomware attack, with diversions and inaccessible EHRs, were not wearing enough on an already overtaxed healthcare team, the remediation process itself can further complicate operations well past the acuity of a breach. Addressing the cascade of operational and clinical consequences is an area of cybersecurity that warrants broadening the conversation from IS and IT leadership, to one that represents all health system stakeholders, including clinical leadership. Tabletop exercises are crucial to an evolving and successful cyber strategy, but so is visibility to the impacts and expectations across the organization, which should translate into broader involvement and a sense of ownership among numerous health system leaders. In addition to creating a culture of stewardship, as well as an opportunity for a practical infusion of workflow and user perspectives, we should think about the patient experience, and how cyberattacks – both their prevention and remediation – may inadvertently contribute to disparities in patient health and financial outcomes.
Cybersecurity and patient advocacy
An important first step is recognizing the deterioration in health outcomes that can occur due to our approach in preventing, navigating, and overcoming cybersecurity attacks. But we also need to acknowledge that these worse health outcomes disproportionately impact people of color, the poor, and the elderly. For example, cyberattacks routinely result in the diversion of ambulances. Black patients with acute MI have worse mortality outcomes relative to white patients when exposed to the same diversion levels, and when transported from the same geographic area, there are consistent differences by race and ethnicity in emergency department destinations. More research is certainly warranted, but it is reasonable to conclude that cybersecurity breaches manifest in a further exacerbation of health inequity. This is to say nothing of the challenges faced by historically marginalized patient groups at baseline in accessing care. Additional hurdles to timeliness and access of care will only further widen the divide.
While the implications to health are clear, the consequences of personal data exposure and the possibility of identity theft are also not equally experienced. Low-income patients are at risk for significant harm from identity theft, more so because they lack the financial cushion and resources to navigate what is often a complex and lengthy remediation process. Furthermore, we see differences in the psychological impact of identity theft, with older adults living in poverty, and older black adults experiencing not only greater distress but also greater personal economic losses. As with health outcomes and how we must strive for equitable improvement for all, more research is needed on the extent to which historically marginalized groups are disadvantaged in personal data theft so that appropriate resources and policies can be implemented to help all who are impacted more fully recover. Policy around reparations following a data breach will always be inadequate when based on the presumption of economic parity of those impacted. Underestimating the racial wealth gap will only serve to worsen it.
Health and wellness for all
The acknowledgment of the roles and extent social determinants of health play in health and wellness has become the norm – we know clinical interventions are insufficient in isolation. What we must grapple with is how to best address health equity to provide immediate relief, as well as the longer strategy as the guiding tenet of new policies and restructured institutions. Part of this strategy should include a cybersecurity posture that incorporates a health equity mindset.
About Dr. Erin Jospe
Dr. Erin Jospe brings more than 20 years of experience in healthcare and health IT to her role as a chief healthcare advisor at World Wide Technology, a $17 billion global solutions provider located in St. Louis, Mo. Dr. Jospe combines her clinical skill with business acumen to deliver next-generation digital health solutions that meet patients’ needs while advancing the industry and driving revenue and profitability.