The health care sector is facing powerful cyberattacks that are more sophisticated, occur more frequently, and have greater disruptive potential than ever before.
Cyberattacks can expose private medical records, cause major economic losses, and damage the reputation of the institution targeted.
At their worst, the attacks can threaten life and limb, writes Dr. Christian Dameff, a practicing emergency medicine physician; assistant professor of emergency medicine, biomedical informatics, and computer science at the University of California-San Diego; and medical director of cybersecurity for U.C.-San Diego Health.
“When patients suffer from strokes, heart attacks, or severe infections, minutes matter,” Dameff wrote in testimony for the U.S. House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. “The best outcomes for patients with these time-dependent crises depend on the immediate, continuous availability of the same digital systems that [cyberattacks] can disrupt. When critical medical systems go offline, our opportunity to save lives diminishes. Our risk of error or misdiagnosis increases.”
San Diego Attack
A cyberattack on San Diego-based Scripps Health exposed the health information of nearly 150,000 patients while also putting pressure on the local health care system, Dameff notes.
The attack overwhelmed adjacent hospitals with unprecedented numbers of emergency room patients, many of whom had serious, time-dependent illnesses, Dameff stated in his testimony. Wait times skyrocketed, hospital beds filled rapidly, and clinicians caring for very sick patients were unable to obtain vital medical records from the affected hospitals.
Incentives Needed
Technology advancements, including systems highly interconnected with third parties, have improved health care outcomes tremendously, but they can still be very vulnerable to cyberattacks, says Bert Kashyap, co-founder, and CEO of the cybersecurity firm SecureW2.
“When these systems are made unavailable, health care workers have to resort to fallback measures, taking them back years, if not decades,” Kashyap said. “Health care organizations need to incentivize their medical equipment and software/hardware vendors to build in cybersecurity defense in every layer of their solutions and tie the renewal of their contracts to cybersecurity interoperability and performance.”
Work Ahead
To combat cyberattacks, health care providers must be determined to find solutions, says Dr. Merrill Matthews, a resident scholar with the Institute for Policy Innovation, a public policy think tank in the Dallas area.
“There is no perfect health care data security solution, especially now that sophisticated bad actors, some of whom are state-sponsored, are aggressively seeking to steal data for financial and other reasons,” Matthews said. “But there are steps that can mitigate the vulnerabilities and damage.”
Matthews offers the following suggestions:
- Health care systems should perform extensive background checks on all new employees and vendors.
- Health care facilities and systems should install state-of-the-art firewalls and other cybersecurity measures.
- States should consider following “best practices” recommendations that limit a health care system’s liability.
- Individuals should limit their use of health care apps to trusted people that refuse to share health information.
“The good news is that private cybersecurity firms are aggressively trying to find solutions,” Matthews said. “But the challenges, especially from those that appear to be backed by a rogue government, will likely remain.”
Kenneth Artz (kennethcharlesartz@gmx.com) writes from Dallas, Texas.
Internet info:
I am dismayed that the original developers of the internet did not see cyber attacks happening.