A health system under constant attack

By Greg Garcia

This is a lightly edited excerpt of testimony recently provided to the U.S. Senate’s Health, Education, Labor, and Pensions Committee during the hearing “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy.”

The reference to “healthcare cybersecurity” was generally not heard 10 years ago. But since 2017, when ransomware and other forms of cyberattack disabled the health system in the UK and many other U.S. providers and multinational companies, the epidemic of cyber threats against the health sector has only proliferated, impacting organizations of all sizes across the sector. Indeed, in 2017 the HHS Health Care Industry Cybersecurity Task Force report diagnosed healthcare cybersecurity to be in “critical condition.”

Threat actors are motivated to leverage ransomware attacks to monetize stolen health data, and operational disruptions. The cybersecurity focus in healthcare has traditionally been on privacy and protection of healthcare data, but when healthcare data is manipulated or destroyed, and health delivery organizations (HDOs), their suppliers, service providers and payment systems are rendered inoperable, as seen in recent ransomware incidents, patient lives can be at risk. This threat is particularly acute for small, rural, critical access and underserved, under-resourced health providers that are operating on razor-thin or negative margins and haven’t the capability to make sufficient investments in cyber preparedness and response programs.

Widely reported incidents experienced over the past few years involved some combination of disruptions affecting patient safety, business operations and clinical workflow, such as medical records about prescriptions, diagnoses, and therapies become inaccessible and some permanently lost, risking patients’ lives, clinical trial data in a research lab, lost, payment systems down, inability to order or receive supplies, emergency transition to a paper system causing time lags, inefficiencies, and errors potentially risking patients’ lives, staff furloughed, potentially risking patients’ safety, and medical devices stop working, or their settings are corrupted, risking danger to the patient.

In addition to the obvious impact on direct patient care, a cyberattack can inflict health providers and companies with business risks, such as disruptions to reimbursement and other financial flows, lawsuits, and regulatory penalties. 

The business and delivery of healthcare are evolving through the adoption of digital consumer wellness and fitness technologies, remote care models, and the accelerating consolidation of health systems, third-party vendors, and new disruptive healthcare business models. As a result of these drivers, healthcare frequently occurs outside of hospitals and clinician offices, which requires transmission of telehealth, remote care, and home health data across uncontrolled home and public networks and cloud services. Further, valuable data derived from personal lifestyle devices such as fitness trackers and smart watches can now augment clinical data and decisions. 

Cybersecurity controls for these technologies are often beyond the oversight of the traditional healthcare regulatory and oversight mechanisms. The result is technologies that are becoming increasingly important in the healthcare ecosystem but are lacking common cybersecurity protections. 

Read his full statement here.

Listen to an excerpt from his testimony here.

Greg Garcia is the Executive Director of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group. 

^{*The opinions expressed in this column are those of the author and do not necessarily reflect the views of HealthPlatform.News.}