PERSPECTIVE: Healthcare Cyber Threat Is a Wake-Up Call for Patient Safety

Throughout our environment of interdependent critical infrastructure, the distributed and indiscriminate risk to patient safety in the health industry due to cybersecurity vulnerabilities is ever increasing. Consider going to your health service provider to receive lifesaving treatment and being turned away because the medical devices and electronic health records in the hospital have been incapacitated by ransomware, rendered unusable until the ransom is paid – and even if the ransom is paid, there is no guarantee the data held hostage will be operational or recoverable. This is the reality some health delivery organizations (HDO) experienced during the 2017 WannaCry cyberattack as it spread to more than 150 countries and affected more than 200,000 computers across the globe, as well as hospitals in at least two states. The most critical consequences of the lapse in quality of care were shouldered by the patients, whose lives were put at risk.

Recent global cyberattacks bring the cybersecurity concerns of the healthcare industry to the foreground, after being in the background of our healthcare security long enough for cyber threat actors to recognize and exploit our vulnerabilities. Cyberattacks such as brought widespread attention to myriad cybersecurity vulnerabilities in the healthcare sector. The impact and fallout of these attacks demonstrated the importance of improved preparedness and rapid response in the event of an incident. The light must shine on the smaller and lesser-resourced providers who need help enhancing their cyber posture. The security of the healthcare system is only as strong as its weakest link.

A significant portion of medium and small health providers don’t consider information technology a strategic asset towards the system’s success. In this light, and considering cybersecurity being a subcomponent of IT, cybersecurity is then an afterthought. The security program is an additional duty, and secondary priority, for IT staff already burdened with full-time jobs. To adequately prepare for and mitigate the cyber threats facing healthcare, health providers must select appropriate cybersecurity leadership and enable their efforts for an enterprise-wide strategy to protect patient lives and data. It is clear that health organizations must be creative and flexible in finding the appropriate leadership and staff, with appropriate skills, at the right price.

The common thread in cybersecurity between the health sector and other critical infrastructure is the potential for large-scale damage in the blink of an eye. Cyberattacks can unleash massive and widespread damage in multiple critical lifeline sectors; power grids can be shut off, water services can be denied, and health services can be interrupted with instantaneous maximum impact.

To continue the enhancement of our security and resiliency, and improve patient healthcare, the health sector – industry and government together – must fully understand how healthcare technology and integration is continually evolving, and as such, providers have an ongoing obligation to manage medical technology, protect information systems and data, and safely provide patient care. But because of widespread healthcare infrastructure interconnectivity, such cybersecurity risk management cannot be done effectively in a vacuum. Our interconnected environment facilitates the spread of cybersecurity risks – across the supply chain and throughout the sector – and, as a result, our vulnerabilities are shared; my neighbor’s risk is my risk. Cybersecurity necessitates the collaboration of all stakeholders. The patient care relationships that providers must serve are based on patient safety, and patient safety increasingly requires cyber safety. Any regulatory mandate on healthcare must now be reviewed through this prism.

The Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group has been actively involved in bringing the heath sector – our government and industry partnership – into a forum where subject matter experts and government leaders are encouraged to collaborate on myriad issues that threaten the security and resiliency of our cyber-posture. We have 13 task groups that deal with the pressures on the Healthcare and Public Heath Sectors (HPH), such as Supply Chain Risk Management, Medical Technology Cybersecurity, Intellectual Property Protection, and many more. We have two major cybersecurity guidance frameworks that are soon to be released: the Joint Security Plan (JSP) to increase the security and resilience of medical devices and health IT (mapped to the NIST Cybersecurity Framework), and the Top 10 Best Practices for minimum-level best practices in healthcare cybersecurity. Through these work products, and our active task groups, we strive to facilitate the collective mitigation of cybersecurity threats to the sector that affect patient safety, security, and privacy – and, consequently, national confidence in the healthcare system.

Patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity. The health sector is striving to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic. To implement a comprehensive security framework, the healthcare sector must work to get ahead of the threats facing the sector in a partnership with government and across critical healthcare subsectors like direct patient care, health IT, medical devices, pharmaceuticals, and health plans and insurance. This isn’t just an IT security problem or a regulatory compliance problem, but one that needs the attention of health providers, chief medical officers, CIOs, general counsels, and the C-suite in general. In this way, we can collaboratively diagnose our cyber health, prescribe a regimen of treatment and move us closer to inoculation against an epidemic of cyber vulnerability.