As the healthcare industry continues its rapid transformation through the adoption of digital technologies, it is also confronted with an ever-expanding range of cybersecurity threats.
In this Help Net Security interview, Dr. Omar Sangurima, Principal Technical Program Manager at Memorial Sloan Kettering Cancer Center, discusses the impact of cyberattacks on patient safety and care delivery, emphasizing how disruptions to critical healthcare services can harm patients and even lead to life-threatening situations.
Can you discuss the magnitude of the cybersecurity challenges that healthcare organizations face today?
Healthcare organizations today face a multitude of cybersecurity challenges that are unprecedented in their scale and complexity. The healthcare industry has long been a prime target for cybercriminals due to the vast amounts of sensitive patient data stored in electronic health record (EHR) systems. As the industry continues to digitize and adopt modern technologies, the volume and complexity of this data will only continue to grow, making healthcare organizations an even more attractive target for cyberattacks.
In addition to the sheer amount of data that healthcare organizations must protect, they also face significant challenges related to the diversity and complexity of their IT systems. Healthcare organizations often have multiple EHR systems, as well as a variety of other applications and networks that must be secured.
We also saw a really big shift when SolarWinds hit – the whole world essentially was adversely affected by third party risk. The vendors did everything right, but there was still an opening, the attack surface was larger than they thought. This really brought into focus the need for a comprehensive approach to third party risk management as well. This complexity makes it challenging to ensure that every system is properly secured and that vulnerabilities are identified and addressed in a timely manner.
The consequences of a successful cyberattack on a healthcare organization can be severe, including the compromise of patient data and potential harm to patients. In some cases, cyber-attacks have even led to the disruption of critical healthcare services, putting patients’ lives at risk. Given the high stakes involved, it is critical that healthcare organizations take cybersecurity seriously and implement robust security measures to protect themselves and their patients.
In short, the magnitude of the cybersecurity challenges facing healthcare organizations today cannot be overstated. With the continued growth of digital technologies and the increasing sophistication of cyberattacks, it is more important than ever for healthcare organizations to prioritize cybersecurity and take proactive steps to protect their systems and data.
Can you shed some light on how cyberattacks can directly affect patient safety and care delivery?
Cyberattacks can have a direct impact on patient safety and care delivery in a variety of ways. For example, when a healthcare organization is hit with a cyberattack, the attackers may gain access to sensitive patient data, including personal information, medical histories, and even financial information. This data can then be used for identity theft, insurance fraud, and other malicious activities, putting patients at risk of financial harm.
Cyberattacks can disrupt critical healthcare services, such as electronic health record systems. Electronic health records are crucial for keeping track of patient care, medications, appointments, and more. Disruptions in the system can cause delays in treatment and harm patients. If a healthcare provider is unable to access a patient’s medical history due to a cyberattack, for example, they may not be aware of a pre-existing condition or allergies, which can lead to profound consequences.
In some extreme cases, cyber-attacks have even led to the shutdown of entire healthcare facilities, putting patients’ lives at risk. For example, there was the ransomware attack in Dusseldorf last year that led to an outright patient death from its disruptions.
How does the reliance on a disconnected security architecture composed of numerous point solutions impact the overall cybersecurity posture of a healthcare organization?
In a word, visibility, or lack thereof, leads to a lack of control over the organization’s security environment, making it challenging to identify and respond to threats in a timely manner.
Moreover, the complexity of managing multiple security solutions can lead to inefficiencies and gaps in coverage, leaving the organization vulnerable to attack. The lack of agility and flexibility in the existing security approach can also hinder the organization’s ability to keep up with the constantly evolving threat landscape.
Therefore, a more holistic and integrated security approach is needed to address the challenges in the healthcare industry. Such an approach can help healthcare organizations improve their cybersecurity posture and protect sensitive patient data by providing more visibility, control, and agility in the organization’s security environment.
This extends to the myriad of third-party vendors and service providers used by the organization and is the reason why industry initiatives such as the Health3PT are so important. By adopting a more proactive and strategic approach to cybersecurity, healthcare organizations can reduce the risk of data breaches and protect patient privacy while ensuring compliance with regulatory requirements.
How does the risk of cyberattacks on electronic health records and other systems translate into patient privacy issues?
Healthcare organizations can face severe privacy issues if their systems are compromised. The privacy of patient data is a crucial aspect of healthcare, and the compromise of sensitive information can lead to privacy violations, eroding patient trust in the healthcare system. Patients expect their healthcare providers to take every measure to protect their sensitive data, and any breach of this trust can have severe consequences. Cyberattacks signal an ever-present risk of exposing confidential data and at multiple junctures. The advent of supply-chain attacks has introduced a new wrinkle into the overall threat landscape. Still, with a familiar outcome, patients must now worry not only about their data being exposed from a care provider to the public, but now there is the possibility that even erstwhile trusted partners of said provider can aid or facilitate said exposure.
In the wake of a successful cyberattack, how might a healthcare organization’s reputation be impacted, and what are the long-term consequences?
This is a question of varying degrees. There are those attacks that are the result of, for lack of a better phrase, sheer bad luck. An organization was doing the right things, continuously trying to improve their posture, making changes where necessary, and they were compromised through little to no fault of their own. However, these are sadly exceedingly rare, and what we are left with in most cases are instances where there was absolutely something an organization could have done to mitigate a breach, or at the very least, lessen the impact when one occurred.
Even in these instances, reputational damage exists on a continuum, where the organizational perception of wrongdoing can be fluid (and is often a function of how easily the nuances of a breach can be explained, which makes continued journalistic vigilance and partnership so important). However, there are yet worse cases where an organization was not only negligent in their handling of their cyber duties of care but were then observed to be actively obtuse in their handling of the incident post-occurrence – and it is at these junctures where the worst reputational damage (rightfully) occurs. Who wants to trust an organization with its most intimate (and not to mention, mostly immutable) data when said org seems to take a lackadaisical stance on keeping said data sacred?
What would you suggest as best practices for healthcare organizations looking to improve cybersecurity, especially in the Internet of Medical Things (IoMT) context?
Briefly, be purposeful in your use of technology. I am an enthusiastic fan of the use cases out there for many IoMT devices – if the prospect of bringing new and innovative solutions to long-standing medical conundrums did not excite me, then I would be in the wrong field. Yet, I am most troubled by a rash of (particularly in this slice of the tech landscape) putting the carts before their horses. For what is the tech being used? What is the outcome sought? Is there anything we have in our environment that is similar in scope and could hopefully provide some ground rules on what security measures are appropriate?
The “A” in “CIA” can oftentimes take (justifiably) precedence when taking a holistic view of an environment or tech stack…but there must be a time with “C” and “I” getting some attention. Or else, we risk rushing headlong into a world where great innovations become mere vectors for increasingly damaging bouts of identity theft and other fraudulent schemes. If you can show me an organization with a steady vision and solid roadmap for what it wants to do with tech, then you are more likely to describe one that is ready (and able) to do so securely.