By Shira Rubinoff, Chief Strategy Officer of HeraSoft
In a world increasingly reliant upon electronic communications, operations, and artificial intelligence, the alarm is sounding across the globe on the need for greater cybersecurity. Nowhere is the urgency more deafening than in the healthcare arena.
While other sectors, like the financial world, for example, have been adopting new protocols and measures to bolster and protect their interests from cyber-attacks, the world of medicine remains terrifyingly vulnerable and has been slow to adapt to the increasing threat of cyber terror. This matters perhaps more than anything else, as it can mean the difference between life and death.
Doctors and healthcare workers have spent the past few decades committed to security in the form of patient privacy, but have yet to broadly recognize that a cyberattack on hospital software, equipment, or even facilities is far more than a computer or administrative matter; it is indeed a medical one, and patient safety is at risk.
Some forms of attack may involve malware or ransomware, such as in the notorious 2016 and 2017 WannaCry, NotPetya, and Locky attacks, the latter of which resulted in a hefty bitcoin payout by a hospital to criminals demanding a ransom payment in order to restore operations.
And not only large-scale medical centers are at risk. Individual medical devices like pacemakers, implants, or even infusion mechanisms may be targeted, resulting in untold damage. Anything that is connected to the internet is potentially at risk.
One particularly frightening scenario is the hacking into imaging software, and the potential for manipulation of scans, reports, and ultimately treatment plans, or lack thereof.
A small team at Israel’s Ben-Gurion University’s Cyber Security Research Center, led by Yisroel Mirsky and Yuval Elovici, set out to test just that, and they created malware to simulate such a threat, which they warned, could be used against a public figure, such as a politician, potentially affecting an election or general world politics.
The stakes couldn’t be higher, and researchers conducted tests involving actual CT scans of lungs, seventy of which were manipulated with the malware with the addition of fake cancerous nodules or removal of real malignant findings. The results were sobering. Three seasoned radiologists were tricked over ninety percent of the time, misdiagnosing healthy patients as sick, and providing truly sick patients with a clean bill of health. Even the employment of specialized lung-cancer screening software, frequently used to confirm diagnoses was fooled, and delivered incorrect findings.
While the Israeli experiment may have fanned the flames of urgency in the world of healthcare, the sector may still be slow to adopt effective cybersecurity protocols and measures in real-time. Suzanne Schwartz, MD, and the Food and Drug Administration’s associate director for Science and Strategic Partnerships, who has been leading some of the FDA’s effort to secure medical devices and equipment, cited that many health organizations simply do not have the funding needed to invest in this endeavor. Besides the acquisition of new, secure equipment — hardware, software and networks, there will be training involved, and the complete overhaul of some systems. Furthermore, many systems are simply antiquated and will not support the newer technologies or patches.
One company was prepared to meet the threats posed by emboldened cyber criminals — Sutter Health, a North Carolina based healthcare system, which successfully ducked the NotPetya attack that devastated untold others. Serving three million patients annually, the organization was hit by a whopping 87 billion cyberthreats in 2018 alone, according to its chief privacy and information security officer Jacki Monson.
Sutter was early to recognize the magnitude of cyber-threats, and, recognizing that there was no human way to possibly screen every threat in person, employs AI technology to identify, categorize and evaluate threats as they appear on their radar. Once ranked according to threat level and potential damage severity, a human team then works to apply software patches or block emails or other communications channels that are flagged as malicious. Even with all of their safeguards and ability to respond to NetPetya by rapidly moving off the system, Sutter Health faced a backlog of over one million patient files. That setback was due to their reliance upon partners like Nuance, a Massachusetts-based medical transcription service, which wasn’t prepared to meet the cyberthreat. Nuance’s systems were paralyzed by the NotPetya attack for weeks, affecting thousands of health care companies around the world.
Besides the cost factor, some devices and systems are simply unable to be patched. In those cases, patient care will almost certainly be negatively impacted, as the affected equipment will have to be pulled out of circulation, not to be replaced anytime soon. Furthermore, the addition of security measures, staff training and other operational safeguards all take time and will affect scheduling — leading to the potential for delays in treatment and decreased operational efficiency.
Latest thought leaders believe that healthcare providers must begin to understand that cybersecurity in healthcare is a safety issue, a human life issue, and not merely a computer or administrative issue that is far removed from their own professional niche.
Some are suggesting that cybersecurity training ought to be incorporated into medical school curricula, and that would-be doctor training in cyber-threat simulations would make them more aware and appreciative of, as well as responsive to real-life threats once practicing.
Monson recommends incentivizing hospitals to invest in education and collaboration, for and between physicians, nurses, IT professionals, and manufacturers. “At some point,
we’re going to need regulatory intervention to push the dial,” she said. “It doesn’t seem like voluntary is working. For patient safety, we shouldn’t be taking the chance.”
Dr. Schwartz agrees. “It’s going to require changes that go well beyond devices… This is where engaging with and involving other authorities and trying to bring the entire community together becomes really important.”
Patient awareness, concern, and outcry may help drive this movement. Hopefully, the US market will not have to face a UK WannaCry style attack before moving forward with greater urgency.