Why is the healthcare industry still so bad at cybersecurity?
Many articles about cybersecurity risks in healthcare begin with descriptions of live simulations (so when in Rome). Imagine a doctor completely unaware of what they’re walking into triaging two patients: one in need of a hospital cardiac catheterization lab after an irregular electrocardiogram (EKG) reading, the other suffering from a stroke and needing a CT scan. All systems are down due to ransomware, so the physician working through the scenario can’t access electronic health records or use any of the assessment methods modern medicine is so reliant on. So, what to do?
There are all kinds of scary scenarios like this that become possible when a hospital or other healthcare provider gets pwned. And the health industry has consistently been getting pwned as of late. In 2019, health organizations continued to get hit with data breaches and ransomware attacks, costing the sector an estimated $4 billion. Five US healthcare organizations reported ransomware attacks in a single week last June. A Michigan medical practice closed last spring after refusing to pay ransomware to attackers. And in 2018, healthcare entities reported 41 percent of incidents—the highest number of any sector. The attacks are even becoming more severe and more sophisticated, too.
It’s not hard to imagine other modern nightmares like the EKG swap above. For example, malfunctioning pacemakers could lead to patients experiencing shocks they don’t need, or blood type databases could get switched and cause chaos due to an integrity attack. All four of these scenarios were in fact conducted during the two latest CyberMed Summits, a conference founded in the aftermath of 2017’s WannaCry attacks. “The world’s only clinically-oriented health-care cybersecurity conference” now annually brings together physicians, security researchers, medical device manufacturers, healthcare administrators, and policymakers in order to highlight and hopefully address vulnerabilities in medical technology.
These days, CyberMed may be the quickest way to get a sense of what’s at stake in a wildly vulnerable healthcare ecosystem where hospitals frequently run out-of-date or unsupported software and where there’s currently no financial incentive to patch patients’ medical devices. After talking with individuals from both medical and security backgrounds at the most recent summit, it’s clear a myriad of issues have come together in a somewhat (im)perfect storm. And this community is hoping today’s sad state of healthcare cyber hygiene can be fixed before anyone gets hurt or killed.
The “Last Mile” awareness problem
Borrowing a term from the telecommunications industry, the theme of the 2019 summit in November was “solving the last mile problem.” How do experts in the intersection of cybersecurity and medicine get what they know propagated to the people who need it?
“It’s great if we are at the CyberMed Summit, we’re talking to the FDA, we’re talking to the device manufacturers, and we’re talking to the people in hospitals at the C-suite level that make many decisions. We come up with all these great ideas and we come up with all this awareness about these problems, but if it doesn’t filter down to the individual clinician with the individual patient at the bedside, then all of it is really for naught,” said Dr. Jeff Tully, a co-founder of CyberMed and a pediatrician and an anesthesiology fellow at the University of California Davis. “If the concept of this big systemic movement is not translated to individual people, then it’s not as effective.”
“I have a lot of patients that I need to take care of, and I have only a finite amount of time to take care of them,” said Dr. Christian Dameff, Tully’s co-founder and the Medical Director of Cybersecurity at University of California San Diego. “Even with my cybersecurity expertise and my understanding of these problems, I still really wrestle with the thought of, ‘If I’m only going to see this patient for 15 minutes and might not ever see them again, do I talk to them about patching their pacemaker, or do I talk to them about their horribly uncontrolled diabetes and high blood pressure? Ideally, those things would not be mutually exclusive, but that’s just not the reality of modern medicine and modern healthcare.”
It’s a problem that Dr. Suzanne Schwartz, Associate Director for Science and Strategic Partnerships in the Food and Drug Administration (FDA)’s Center for Devices and Radiological Health, says is the organization’s biggest challenge. How can medical professionals bring in patients and providers that need to be aware of and participate in cybersecurity-related discussions across the industry? It’s why the FDA convened a public meeting of its patient engagement advisory committee meeting last fall to specifically discuss medical device cybersecurity. (An entire webcast of the seven-hour event is still available online.)
“Patients can be really important drivers here, patients that have implantable devices that have cybersecurity-related concerns associated with them, or patients that have connected devices at home or elsewhere,” Schwartz said. “It is important that they be best informed and that they be positioned to have conversations with their physicians in order to understand the importance of receiving updates and patches and that when vulnerabilities are identified that those vulnerabilities are appropriately assessed and mitigated so that their devices continue to function safely and effectively.”
Listing image by University of Arizona