Healthcare Challenges in the Era of Cybersecurity

Abstract

As a result of the extensive integration of technology into the healthcare system, cybersecurity incidents have become an increasing challenge for the healthcare industry. Recent examples include WannaCry, a nontargeted ransomware attack on more than 150 countries worldwide that temporarily crippled parts of the National Health Service in the United Kingdom, and the 2016 ransomware attack on Los Angeles's Hollywood Presbyterian Medical Center. The attacks cost millions of dollars in lost revenue and fines, as well as significant reputational damage. Efforts are needed to devise tools that allow experts to more accurately quantify the actual impact of such events on both individual patients and healthcare systems as a whole. While the United States has robust disaster preparedness and response systems integrated throughout the healthcare and government sectors, the rapidly evolving cybersecurity threat against healthcare entities is outpacing existing countermeasures and challenges in the “all-hazards” disaster preparedness paradigm. Further epidemiologic research of clinical cybersecurity attacks and their effects on patient care and clinical outcomes is necessary to prevent and mitigate future attacks.

Prevention, mitigation, response, emergency management, and recovery from disasters are critical responsibilities in the public health domain. For well over a century, US federal, state, and local governments have led preparedness and response efforts to natural and manmade disasters through policy and asset management. As most disasters typically include human injury and death, the evolution of the formal discipline of disaster medicine came about simultaneously. No other event in modern history has spurred advances in disaster medicine and public health policy more than the attacks on September 11, 2001.^1,2 Concurrently, over the past 30 years, the expansive integration of new technology in healthcare has changed the face of medicine. Modern medical care now relies on healthcare delivery organizations, including hospitals and clinics, that are built on a backbone of connected computer-based infrastructure, as well as the use of patient-facing networked technology such as implantable medical devices. Additionally, clinicians rely on electronic medical records, computer-controlled bedside infusion pumps, sophisticated medical imaging platforms, and a myriad of other tools to provide the current standard of care.

While conventional disaster medicine and related policy efforts largely focus on responding to natural disasters, epidemic outbreaks of disease, and mass casualty or terrorist attacks, the ever-increasing dependence on technology in the healthcare system presents a new and important challenge to clinicians, public health experts, and policymakers. Interestingly, the technological advances that have improved medical disaster response and patient care are increasingly at risk of being exploited and themselves becoming the cause of a new type of disaster.

Cybersecurity refers to the protection of computer-based technology from deliberate or inadvertent disruption via manipulation of underlying software, hardware, or networked connections. Although this discipline and its practices have received substantial attention in the technology, financial, industrial infrastructure, and national security sectors, a 2017 report commissioned by the Department of Health and Human Services (HHS) found that “healthcare cybersecurity is in critical condition.”³ The report cited as challenges of particularly grave concern: (1) a significant shortage of information security professionals, (2) the ubiquitous use of outdated legacy equipment, (3) over-connected technologies, and (4) the profligate presence of software vulnerabilities in commonly used devices.

Recent Examples of Cyber Disasters

A dramatic example of the public health threat posed by cybersecurity vulnerabilities occurred on May 12, 2017, with the release and rapid spread of the WannaCry software virus. An example of a subset of malicious malware viruses known as ransomware, WannaCry infected exposed computers by taking advantage of a software vulnerability in older versions of the Windows operating system. The virus then encrypted the information already stored on the computer, rendering the data inaccessible to its owner unless a ransom was paid in the form of anonymous electronic cryptocurrency.

The ransomware ultimately invaded hundreds of thousands of computers in more than 150 countries. Arguably, however, WannaCry's most profound impact occurred when systems of Britain's National Health Service (NHS) were infected. The result was disruption to the normal operations of more than 80 individual hospitals for 4 days. Tens of thousands of scheduled surgeries and clinical appointments between May 12 and May 19 had to be cancelled; complex medical equipment such as magnetic resonance imaging machines were temporarily disabled; and in several areas, ambulances had to be diverted to unaffected hospitals, resulting in delays in patient care.⁴ At the time, the NHS did not routinely collect specific data that would allow the resultant healthcare impact to be measured (ie, disease-specific morbidity and mortality, number of diversions); therefore, an accurate account of the full extent of the public health impact is not available.⁵ Recently, Ghafur et al attempted to quantify the medical impact of WannaCry using overall mortality data and cancelled appointments.⁶ There was no overall increase in mortality; however, given prior research showing nontrivial mortality impacts as a result of delays for road closures during marathons, it seems likely that there were significant unseen impacts.^6,7 From a financial standpoint, however, the NHS unambiguously estimates the costs associated with the WannaCry attack to be at least £92 million (US$115 million).⁸

Although healthcare computer systems in the United States largely escaped infection from WannaCry, several institutions have been affected by other ransomware attacks. Most notably, a ransomware cyberattack occurred in 2016 at Hollywood Presbyterian Hospital in California with similar adverse outcomes.⁹ In contrast to the WannaCry attack, however, Presbyterian Hospital chose not to notify law enforcement when the hack occurred. Instead, the hospital's information was held hostage for 10 days until it ultimately paid $17,000 in bitcoin ransom to the criminal perpetrators.^10,11 The full financial and reputational impact of this event has not been evaluated, but other information security breaches have cost hospitals as much as $7 million in fines, litigation, and reputational damage.¹² A significant increase in attempted attacks using the same ransomware was also seen in nearby Palo Alto shortly after the Presbyterian attack.¹⁰

To date, little peer-reviewed information has been published regarding the public health implications of ransomware attacks and similar cybersecurity incidents. The impact on patient clinical outcomes as a result of care delays because of ambulance diversion away from affected emergency departments has not been accurately measured. However, other studies on similar care delays indicate that detrimental effects on patients likely occurred. Road closures during marathons have demonstrated nontrivial impacts on the response of time-critical conditions such as cardiac arrest.¹³

In addition to the health impacts associated with delays due to transportation issues, breaches of a hospital's stores of protected health information negatively affect patient outcomes. While breaches of protected health information may not directly disrupt or disable the normal healthcare delivery functions, they have been shown to be associated with 30-day increases in mortality from acute myocardial infarction. The correlation is hypothesized to be related to the need to divert organizational resources to mitigating cybersecurity vulnerabilities and paying associated penalties and potentially away from direct patient care services or processes.¹⁴

Cyber Disaster Preparedness and Response

Disaster and emergency response infrastructure in the United States is complex and multilayered. Federal management and direction of public health preparedness and response efforts include the Departments of Defense, Veteran's Affairs, Homeland Security, and Health and Human Services. Important agencies within the departments include, but are not limited to, the Federal Emergency Management Agency, the Centers for Disease Control and Prevention, the Food and Drug Administration, and the Office of the Assistant Secretary for Preparedness and Response. A multitude of public and private partnerships and information sharing organizations complement these efforts, some of which have produced guidance on healthcare cybersecurity-related best practices.¹⁵ In 2018, the National Institute for Standards and Technology released the “Framework for Improving Critical Infrastructure Cybersecurity,” now purported to be the most widely used framework in healthcare.¹⁶

In parallel to the federal agencies, governments at the state level typically include an amalgamation of departments, agencies, and organizations that share overlapping jurisdictions and responsibilities for disaster preparedness and response. Tribal governments, local municipalities, county and regional authorities, and independent associations have additional roles in the disaster response and public health ecosystems and must coordinate with state and federal government agencies when disaster situations overwhelm existing resources. While comprehensive surveys and studies have not been performed on the independent roles of such organizations, in the context of cyber disasters, these organizations may serve as key networks for information sharing and response coordination.

Lastly, individual healthcare organizations are not standing by idly; many have taken active steps to protect themselves. Commonly, the focus is on end-user security, such as restricting website access, increasing the complexity of password access and frequency of password changes, and limiting outside device access to the network. In addition, structural measures such as network segmentation and regular software patching are widely used to increase cybersecurity.

Current Regulations

The most prominent regulation concerning public health cybersecurity preparedness arises from the HHS Centers for Medicare and Medicaid Services (CMS). Under its “Conditions of Participation” for hospitals exists a requirement that facilities “develop, implement, and maintain an effective antiviral computer software program to prevent malware viruses from an unauthorized cyber-attack.”¹⁸ While a regularly updated antivirus platform is a foundational element of a strong cybersecurity posture, updates eventually become a challenge due to outdated legacy equipment and operating systems. The WannaCry ransomware virus is an example of a previously unknown software exploitation that a vast majority of unsupported or outdated systems' antivirus platforms were unable to detect or prevent, despite the active software in place.⁵

The Health Insurance Portability and Accountability Act (HIPAA) has also addressed cyber security in several ways. There is a strict reporting requirement for any incident involving the breach of protected health information, particularly any event resulting in the exposure of more than 500 individuals' data. However, other than this reporting requirement, HIPAA's guidance for hospitals on how to actually implement measures to mitigate and prevent such exposures is vague and widely open to interpretation: requiring “administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”¹⁹

CMS and HIPAA regulations also require the appointment of an emergency manager at each participating institution who will oversee the development of unique organizational emergency preparedness and disaster recovery plans. Resources for the development of cybersecurity-specific plans are outnumbered by materials guiding against natural disasters, disease epidemics, and mass casualty events. Additionally, the shortage of qualified cybersecurity personnel as identified by the Health and Human Services Task Force presents a barrier to the universal implementation of such programs.²⁰

Conclusions

Public policy enacted to reduce the impacts of disasters have not adequately addressed the threats that arise from the growing dependence American healthcare has on connected technology. Limited resources, a complex and evolving organizational hierarchy, immature regulation, and a relatively unfamiliar threat model without a significant foundation of evidence-based research all combine to present a challenge for the individual healthcare delivery organization or public health system preparing for a cybersecurity-related incident. Additionally, appropriate tools to capture and attribute the true medical impacts of these events are still lacking.

The current legal and regulatory landscape, including HIPAA and CMS regulations, provide a needed foundation, but recent incidents have demonstrated the importance of a more robust and evidence-based framework to combat healthcare cybercrime. Suggestions for future regulations to improve safety include improved event reporting and information sharing, improved tools for investigation and prosecution of cybercrimes, and federal training and response to cybersecurity events in ways similar to other disasters.

The advances in disaster planning and management for conventional public health emergencies provide a roadmap for improving readiness in the cybersecurity arena. Additionally, prevention and risk reduction through various strategies, including end-user education, regular patching, and discontinued use of unsupported software and devices, are essential to improving healthcare cybersecurity. Thus, cybersecurity improvements will ultimately improve the health of patients. Further research should address the epidemiology of clinical cybersecurity incidents and characterize the effect they have on patient care capabilities and subsequent clinical outcomes. Best practices should be developed not only by information security professionals, but by multidisciplinary groups including clinicians, health system administrators, and policymakers.

References

Goudsblom

Public health and the civilizing process. Milbank Q. 1986; 64(2):161-188.

Noji

, Toole

. The historical development of public health responses to disasters. Disasters. 1997; 21(4):366-376.

Healthcare Industry Cybersecurity Task Force. Report on Improving Cybersecurity in the Healthcare Industry. June 2017. Accessed September 29, 2019. https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

National Audit Office. Department of Health. Report by the Comptroller and Auditor General. Investigation: WannaCry Cyber Attack and the NHS. April 25, 2018. Accessed May 27, 2020. https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf

Smart

Lessons Learned: Review of the WannaCry Ransomware Cyber Attack. Department of Health & Social Care. February 2018. Accessed May 27, 2020. https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf

Ghafur

, Kristensen

, Honeyford

, Martin

, Darzi

, Aylin

. A retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digit Med. 2019; 2:98.

Choi

, Johnson

. Do hospital data breaches reduce patient care quality? arXiv.org. Submitted April 3, 2019. Accessed May 27, 2020. http://arxiv.org/abs/1904.02058

Cyber Security Policy. Securing Cyber Resilience in Health and Care: Progress Update 2018. London: Department of Health & Social Care; 2018. Accessed May 27, 2020. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747464/securing-cyber-resilience-in-health-and-care-september-2018-update.pdf

Winton

Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. February 18, 2016. Accessed May 27, 2020. https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

10.

Ransomware case studies: Hollywood Presbyterian and the Ottawa Hospital. Infosec Resources website. Accessed May 27, 2020. https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-attack-statistics-and-case-studies/ransomware-case-studies-hollywood-presbyterian-and-the-ottawa-hospital/

11.

Dobuzinskis

, Finkle

California hospital makes rare admission of hack, ransom payment. Reuters. February 18, 2016. Accessed December 13, 2019. https://www.reuters.com/article/us-california-hospital-cyberattack-idUSKCN0VS05M

12.

Jalali

, Kaiser

. Cybersecurity in hospitals: a systematic, organizational perspective. J Med Internet Res. 2018; 20(5):e10059.

13.

Jena

, Mann

, Wedlund

, Olenski

. Delays in emergency care and mortality during major U.S. marathons. N Engl J Med. 2017; 376(15):1441-1450.

14.

Choi

, Johnson

. Do hospital data breaches reduce patient care quality? Paper presented at: 14th Workshop on the Economics of Information Security; June 2017; La Jolla, CA.

15.

US Department of Health and Human Services. Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Accessed May 27, 2020. https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

16.

HIMSS North America. 2018 HIMSS Cybersecurity Survey. Chicago: HIMSS; 2018. Accessed May 27, 2020. https://www.himss.org/sites/hde/files/d7/u132196/2018_HIMSS_Cybersecurity_Survey_Final_Report.pdf

17.

Arizona Department of Health Services (ADHS). Public health emergency preparedness. ADHS website. Accessed May 27, 2020. https://www.azdhs.gov/preparedness/emergency-preparedness/index.php

18.

Centers for Medicare & Medicaid Services (CMS). Medicare Business Partners System Security Manual. Baltimore, MD: CMS; 2017. Accessed June 9, 2020. https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS1223332

19.

Security Standards: Administrative Safeguards. HIPAA Security Series. 2007;2:2. Accessed May 27, 2020. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf

20.

Davis

HHS task force says healthcare cybersecurity in “critical condition.” Healthcare IT News. June 5, 2017. Accessed May 27, 2020. https://www.healthcareitnews.com/news/hhs-task-force-says-healthcare-cybersecurity-critical-condition