This blog post will discuss some of the healthcare cybersecurity aspects that U.S. providers are facing. Although the industry is exposed to the same threats found in other regions around the world, some of it is unique due to the structure and regulatory landscape of the U.S. healthcare space.
Overall, all countries and all industries are facing a rapidly evolving threat landscape of increasingly sophisticated, politically or financially motivated cyber adversaries that execute targeted and well-orchestrated attacks. At the same time, our businesses (and private lives) are increasingly digitalized (more digital systems) and digitized (more digital data). As these digital systems and their data have become an attractive target to cyber attackers, our dependency on these systems has grown and our businesses and livelihoods depend on them. This is certainly true for healthcare, where we not only are concerned about the privacy of sensitive health data, but also the availability of health services and the integrity of care delivery.
In the end, it is all about patient safety and patient trust.
- Historic Development of U.S. Healthcare Cybersecurity
- Patient Safety Considerations in Healthcare Cybersecurity
- Healthcare Cybersecurity Threats With Impact on the Real World
- Role of Medical Devices in Healthcare Cybersecurity
- Healthcare Cybersecurity in the Future
Historic Development of U.S. Healthcare Cybersecurity
Specifically, when looking at the U.S. Healthcare industry and its relationship with cybersecurity, we can observe three distinct historic phases:
Early Years From 2003 to 2009
Introduced in 1996, the Federal Health Insurance Portability and Accountability Act (HIPAA) was enacted to allow for the portability of health insurance coverage and sharing of health information as well as provide administrative simplifications to enable electronic transaction of health data. Obviously, this required specific considerations around the privacy and security of health data, which was accomplished through the HIPAA Privacy Rule (2003, defining if and how Protected Health Information (PHI) can be used and shared) as well as the HIPAA Security Rule (2005, specifically defining how electronic Protected Health Information (ePHI) should be protected). Both, the Privacy and Security Rules apply to what HIPAA calls Covered Entities (simplified: healthcare providers, health insurers, and business associates that process PHI on their behalf).
Note that the Privacy Rule applies to any health information (electronic, on paper, or even the spoken word) whereas the Security Rule is specific to electronic information and defines how the Confidentiality, Integrity, and Availability (commonly referred to as the C-I-A triade) should be protected and assured through administrative, physical, and technical safeguards.
The two main points of criticism of the HIPAA Privacy and Security Rules were a) that they specified vague requirements subject to interpretation by the respective entities, and b) was in general poorly enforced and compliance was low.
Recent Years From 2009 to 2016
In order to aid the country’s recovery from the economic recession, President Obama enacted the American Recovery and Reinvestment Act (ARRA) of 2009, which included significant investment in the healthcare system and health technology.
Specifically, the Health Information Technology for Economic and Clinical Health (HITECH) Act provided
- financial incentives for healthcare providers to adopt holistic Electronic Health Record (EHR) systems,
- increased the focus on security through formal requirements for Risk Assessments and Management, increased fines for HIPAA violations, the requirement to conduct HIPAA audits, and lastly, the mandate to report data breaches affecting 500 or more patients (also known as Breach Notification Law) to the U.S. Health and Human Service (HHS).
In 2013, these changes were rolled up and incorporated into HIPAA under the so-called HIPAA Omnibus Rule.
Combined, these requirements raised the bar on privacy, security, and compliance and established the need to report and publicize security incidents. Enforcement of and compliance with HIPAA was enhanced through audits and fines. However, with its focus on breach notification, this also resulted in a focus on information confidentiality, with availability and integrity taking the back seat.
Present Years From 2016 to now
The previous two phases above were mainly driven by government initiatives and federal laws (plus some local state laws, which I did not discuss but provided cumulative effects). However, significant change happened in 2016 as a wave of ransomware attacks started to cripple U.S. healthcare organizations. Not that ransomware incidents were new to the industry, but around that time we saw a) a significant increase in global ransomware attacks, for which the healthcare industry was poorly prepared, and b) there seems evidence that hackers discovered healthcare organizations as a lucrative target due to their low cyber defenses as well as their need to restore care delivery and therefore more are likely to pay ransom.
WannaCry Uncovers Problems
These events, which reached a peak with the 2017 WannaCry attack, resulted in the painful realization that the HIPAA-driven focus on audits and data confidentility left the industry ill-prepared for attacks by nation-sponsored or cybercriminal adversaries. Even though WannaCry had less effect here in the U.S., its impact on the U.K. National Health Service (NHS) was a wakeup call, resulting in a new view of and priority for cybersecurity. U.S. healthcare organizations realized that availability of information can directly affect care delivery and that integrity of data is equal to the integrity of health services. This newly understood risk paradigm and potential impact and magnitude of availability and integrity events has started to shift organization’s focus away from their previous sole focus on data confidentiality.
From Compliance-Driven Effort to Regulatory Enforcement
Healthcare cybersecurity in the U.S. industry went from the early years of a compliance-driven, poorly enforced, and largely neglected effort to a state that was still dominated by regulation but with improved enforcement through reporting, fines, and audits. Today, additionally healthcare organizations have realized that their security efforts are not limited to auditors but that they need to be ready to face sophisticated cyber-adversary, which is a much more difficult – yet, increasingly important – effort.
Patient Safety Considerations in Healthcare Cybersecurity
A unique aspect in healthcare is that a cyber incident can result in harm to a patient. Although a targeted attack on a person with the intent to do harm is certainly perceivable, it probably is more suitable for headlines than should it be a concern to us as patients. However, what should worry us – and should guide our cybersecurity efforts – is the possibile impact on care delivery and the potential of harm to patients through delayed care or disrupted therapy.
I am not saying that a targeted attack is not in the realm of the possible. Between malevolent threat actors of varying motivation and increasingly digital and integrated (yet vulnerable) medical devices and IT systems, we certainly have all the pieces in place that could make it happen. However, what is the more concerning scenario is what we have seen with WannaCry (and other, less publicized ransomware attacks) – disruption or delay and resulting impact on patients.
Healthcare Cybersecurity Threats With Impact on the Real World
The U.K. National Health Service’s (NHS) “lessons learned” report provided insight into the scope of the WannaCry outbreak and its impact on patient care. 80 of 236 NHS trusts were impacted (34 infected and locked out of service, including 27 acute trusts) as well as 603 primary care and other NHS organizations. 1,220 pieces of diagnostic equipment across the NHS were affected and 6,912 first appointments were cancelled (including at least 139 patients who had an urgent appointment for potential cancer).
It is, of course, difficult to measure how events like these impact patient health or safety. We know from controlled studies that a delay in care can result in higher mortality rates, which should not be surprising.
For example, if an ambulance is rerouted due to a city-wide sporting event, like a marathon, one study showed a statistically significant decrease in patient survival rates. Specifically, just over 4 minutes in average additional ambulance travel time resulted in a 13% increase in 30-day mortality rate. Taken together, the study “suggest that road closures, diversion of ambulance resources, and ensuing delays in hospital care may explain the higher mortality that we observed among patients with acute myocardial infarction or cardiac arrest who were hospitalized on dates of major marathons.” If these minor delays already have a demonstrable effect on health outcomes, we have to assume that cyber-incidents resulting on several days of care delivery impact can certainly be harmful to patients.
These attacks don’t necessarily need to be targeting a specific patient, hospital, or even healthcare as an industry. In most cases they are purely opportunistic (attackers seeking a specific vulnerability) or coincidental (e.g., an unpatched operating system may just fit the profile of the malware). However, as discussed previously, healthcare may have the reputation of being a vulnerable industry that holds valuable data and may be easy to exploit for financial gain.
The closest we have ever come to a patient incident due to a cyber event was a ransomware attack on a hospital in Siberia that took down all IT systems during a child’s brain surgery. The surgery was completed successfully, despite the IT outage caused by a ransomware attack – which was probably not targeted nor timed to interfere with the surgery, but certainly causing a critical situation.
Role of Medical Devices in Healthcare Cybersecurity
Central to the discussion of patient safety is the topic of medical device cybersecurity. Certainly, the considerations are similar to the general discussion of patient safety above, but there are some unique aspects to consider. For one, many medical devices are truly life critical (about 5% of hospital-installed devices fall into that category). But even less critical devices can have severe impact, for example, lab results may be incorrect, alarms may be delayed, or emergency patients can’t be diagnosed due to unavailability of critical imaging equipment.
Guidance by the FDA
This is why the U.S. Food and Drug Administration (FDA) has started to provide guidance to medical device manufacturers on the topic of cybersecurity. For example, FDA issued their Premarket Cybersecurity Guidance in 2014, followed by a Postmarket Guidance in 2016, and an updated (draft) Premarket Guidance in 2018.
The message is clear – manufacturers need to design better security features into their devices, do a better job maintaining the security posture of devices once they are in the market, and have better processes in place to communicate with their customers about cybersecurity, for example through better documentation, vulnerability disclosure, and timely release of patches.
Further Support of Medical Device Cybersecurity
These activities are supported by market education, workshops, and initiatives supporting specific needs. For example, the Health Information Sharing and Analysis Center (H-ISAC) hosts the Medical Device Security Information Sharing Council (MDSISC), specifically focusing on sharing information on vulnerabilities and cyber threats among its members.
Other organizations that have started focussing on the medical device cybersecurity topic is the Association for the Advancement of Medical Instrumentation (AAMI) by providing education at national and regional chapter events as well as through cybersecurity education for clinical engineers to complement what has traditionally not been part of the clinical engineering education.
One of the unique aspects of the medical device cybersecurity topics is its complexity. Not only the complexity of devices and number of devices installed in hospitals (it is estimated that U.S. hospitals have a total of 10 to 15 million medical devices, with about 25% of them already being networked), but also the number of stakeholders, inside and outside of a hospital, that are part of this shared responsibility.
Further, the regulatory landscape is far from being simple. For example, HIPAA regulates healthcare providers and patient data (PHI) whereas the FDA regulates medical device manufacturers with a focus on patient safety. Looking at the individual medical device (as it is done via the hospital’s cybersecurity risk analysis), there is now a disconnect as the patient data on the device is regulated differently than the safety relevant data (with some overlap).
From the manufacturer perspective, the complexity comes in through international regulations that may set different requirements with regards to cybersecurity properties and processes. Although international harmonization efforts are under way via the International Medical Device Regulators Forum (IMDRF), manufacturers are still faced with a complex and still evolving regulatory landscape.
Healthcare Cybersecurity in the Future
With over 5,000 hospitals, about 1 million hospital beds, and an estimated 230,000 physician practices, the U.S. Healthcare Provider space is complex and provides an equally complex and patchworked IT ecosystem. Map that complexity to an ever-evolving cyber threat landscape with sophisticated, capable, and malicious cyber actors and it is clear that we are facing a challenging situation.
The number of data breaches reported to the U.S. Health and Human Services (HHS) has been increasing at 5-10% per year since the beginning of mandatory reporting in 2009. The number of breached patient records has fluctuated widel year-over-year (typically driven by a few very large breaches) and was reported as exceeding over 41 million records in 2019. Yet, at the same time it is reported that healthcare providers are challenged with finding cybersecurity staff and lag in security budgets relative to other industries.
Some signs of improvement exist, though. Security budgets seem to grow, albeit slowly, and cybersecurity is increasingly becoming an executive and hospital board topic as demonstrated in a recent survey. Hopefully, this is leading to strategic visibility of cyber risk and a more secure future. I just hope that the “bad guys” won’t outpace our efforts.
Either way, we have our work cut out.