The COVID-19 pandemic was the biggest public health emergency in the last century. But we are now on the precipice of another public health crisis – the impact of the increasing frequency and severity of cybersecurity violations. This is a universal concern that virtually all healthcare, from remote clinics to major research institutions, is now on a connected digital platform that is regional, national and international.
Cybersecurity violations against healthcare organizations and patients generally involve the theft of personal health information, personal identity information and ransomware and the potential to hack and control medical devices. While other threats to operations, such as storms, can be predicted days ahead of time, cyberattacks are sudden, immediately disruptive, can be massive in scope, and are often the work of organized groups with malicious intent. They may sleep in systems for extended periods of time before being triggered by some seemingly innocent activities.
The ramifications of these violations for healthcare organizations and patients are terrible. The latest ransomware attack on Scripps Health has shut down its systems for more than two weeks and has overloaded nearby hospital emergency departments and specialized care units with deviant patients. Combining this dynamic are cyber attacks on other critical sectors such as electricity, water purification systems, communications and emergency services that can indirectly produce important patient safety concerns. The clinical implications of the upstream violations reinforce the concept that cybersecurity for all sectors of critical infrastructure is essential to ensure care delivery. If we do not significantly improve our preparations for this risk now, we will repeat the disorganized COVID-19 response during early 2020.
The latest ransomware attack on the Colonial Pipeline Company is an example of the unintended downstream effect on the health of a ransomware attack on the energy sector. Although the loss of electricity is usually the first energy concern in this sector, the lack of gasoline due to the effect on pumping and delivery can have an acute impact on ambulances, other delivery vehicles. , hospital staff workers, patients and trucks carrying supplies. This was experienced in the New York area after the Sandy Superstorm in 2012.
Like most of the national economy, health care can be affected by a cyber attack in almost all other critical sectors, and in turn may be affected by a health compromise. Large attacks on the food supply chain could cause a large food shortage, which would affect even the most vulnerable. The transport sector is also a critical link in our economic model just in time. This would be exacerbated by a cyber attack that halted port operations and cut off supplies from global sources in the supply chain.
A major attack on our water supplies would have a massive impact, not only limiting the provision of care, but also increasing the need for medical care as the public turns to less safe sources of water. Service denial attacks that overwhelm the 911 system can paralyze the emergency services sector, resulting in the inability to respond to medical emergencies. The loss of telephone communications, which are now primarily Voice Over Internet Protocol in hospitals, could disrupt the internal and external communications of the hospital.
These are just a few examples of how other critical infrastructures are intertwined with health. Solutions to mitigate weaknesses in these interdependencies are neither easy nor guaranteed, but as with all problems the first step is to admit that there is a problem. The healthcare industry, including suppliers ’leaders, pharmaceutical and medical device companies, supply chain companies, and the government need to intensify their efforts to jointly develop a constantly evolving strategy to address these vulnerabilities. .
Healthcare organizations currently conduct a vulnerability assessment of hazards each year, but they are based on a single event such as a hurricane, forest fire or pandemic. These have to be rethought with the compounding impact of cyberbreaches resulting both in data loss and in side effects from other sectors. We need to think about the broad data that healthcare organizations are no longer silenced by each other or by other sectors of the national infrastructure on an increasingly integrated digital platform. This change of mindset and commitment to scale the importance of this imperative must be reinforced as the timing and sophistication of attacks increase, so as not to be at the mercy of criminal groups and nation states.
There are already many places for private / public partnerships that build the necessary resilience. This year marks the 25th anniversary of the national InfraGard program – a public / private partnership with the FBI that involves cross-sectoral discussions and information sharing on threats and remedies. Similarly, there is strong private / public cooperation between the numerous sector coordination councils, including the Health Sector Coordination Council, which represents critical infrastructure owners and operators, trade associations. , industry representatives, with their counterparts from the Government Coordination Councils for each SCC. These groups, supported as trusted partnerships by the Department of Homeland Security, often meet to proactively protect our critical infrastructure with tactical, operational, strategic, and political tools.
It is imperative that everyone in the healthcare sector join these types of partnerships both to be informed and to contribute. Cybersecurity is not only an information technology problem, but one that can directly influence the care that is provided every day across the country. It is our professional responsibility to be engaged.