Dec 22, 2020

The impact on health of cyber attacks

Cyber Security
Cyber Attacks
Jason Crabtree
5 min
The impact on health of cyber attacks
Jason Crabtree, CEO and Co-founder of cybersecurity specialists QOMPLX, explains why quality assurance around IT must be part of hospitals' plans...

Even the most unlikely organizations can find themselves compromised due to a cyber attack. Consider the recent intrusion into Blackbaud, a third-party technology provider which specializes in maintaining fundraising databases for charitable organizations and other nonprofit institutions. This data breach affected a wide range of American nonprofits, from the Vermont Food Bank to the George W. Bush Presidential Center, but most critically, a number of nonprofit healthcare institutions, including Maine-based Northern Light Health Foundation, Virginia-based Inova Health Systems, and Washington State’s MultiCare Foundation.

Blackbaud has come under fire for its handling of the breach, which initially took place on February 7, 2020, and remained undetected until May 14, although its affected clients were not informed until July 16. Although affected users were initially told that neither financial account nor government identification information had been taken in the breach, these statements were walked back during the week of September 27, and in its latest 8-K filing, on September 29, Blackbaud admitted that for some affected customers, fields for unencrypted bank account information, Social Security numbers, usernames, and passwords may have been accessed.

The cyber threat to the healthcare nonprofit sector is comparable to similar threats against financial institutions, utilities and their infrastructure, and the defense industrial base. No one in the age of COVID-19 can deny that healthcare is systemically important to the wellbeing of the people of the United States. Many hospitals and health providers did not realize that their donor management software had migrated to cloud-based services/backups, and a large number of them had never re-assessed their ongoing third party risk exposure or use of Blackbaud services as a vendor.  

Hospitals have increasingly come under cyber attack in recent years. It is not difficult to understand an attacker’s logic in targeting hospitals and other healthcare providers, which necessarily collect personally identifiable information from their patients, in addition to financial information as intermediaries between physicians, payers, government agencies, and other providers of healthcare services. 

A modern hospital contains numerous critical systems that require information and operational technology systems, which can be deliberately interrupted by a successful cyber attack. These structures and conditions make hospitals inviting sites for attempted intrusions, data breaches, and ransomware attacks. Hospitals aren’t just concerned about confidentiality - disruption of services from impacts to availability or risks to patient care stemming from data integrity failures can be immensely impactful.

The September 27 attack on Universal Health Services provides an even more recent example. UHS, whose network was compromised by what appears to be a version of Ryuk ransomware across approximately 250 UHS facilities in the U.S., should underscore the importance of improving defender performance. Phone systems went offline, laboratory and radiology records became unavailable, and ambulances and emergency services were forcefully redirected as the full extent of the cyber attack was determined. 

The affected hospitals have currently returned to pen and paper record-keeping as their IT systems are being evaluated and remediated (a task which is still in progress); however, even basic healthcare functions such as scheduling medication in these hospitals have been affected by this ransomware attack.

While ransomware has undoubtedly been a contributor to negative health outcomes for patients, there is sudden renewed debate over what situations and events might be deemed the proximate cause of harm. A recent attempt attributing a death to such an event was reported in Germany in September 2020, a critically ill woman requiring transport to a different hospital after University Hospital Düsseldorf’s servers were frozen as a result of a ransomware attack, delaying her emergency treatment. Immediate coverage overreached regarding direct culpability.

Regardless of whether such an event is legally culpable or not, there is evidence that medical performance degrades following at least some types of cyber attacks. In late 2019, researchers at Vanderbilt University and the University of Central Florida published an article which found that acute-care hospitals which experienced a data breach had a small but statistically significant increase in their 30-day acute myocardial infarction mortality rates in the three years following the breach. 

They hypothesized that this increase was associated with the lengthier time from door to electrocardiogram for patients with suspected cardiac issues, on average a difference of 2.7 minutes. Current medical guidelines recommend that an electrocardiogram be acquired and interpreted within 10 minutes of arrival to minimize mortality.

From a cybersecurity perspective, however, the most troubling part of this study was the link made by the authors between the delay and stronger security measures put into place as part of the breach remediation process. Presumably with the best of intentions, remediation actions associated with a data breach had been transferred to an increased statistical risk in mortality among patients who had suffered an acute heart attack. This clearly is not an acceptable form of risk management for cybersecurity practitioners. 

This is part of why a proven technique for risk management in hospitals –the Hospital Quality Assurance Committee or HQAC – needs to have a co-equal Hospital Information and Operational technology Quality Assurance Committee or HIOQAC.  

Such a body is required to ensure that the generally poor state of hospitals and other providers information security is included in broader organizational governance and that improvement and remediation efforts, where required, are adequately integrated with established patient care and quality control considerations. Just like patient care, security is a continuous process of improvement and not a one-time transformation effort. 

Especially in sectors which focus on the broader social good, such as charities, hospitals, and healthcare institutions, a cybersecurity solution must not compromise the essential function of that organization to the detriment of its clients. In fact, we should borrow a page from their book, and follow the precept of the ancient physician, Hippocrates: first, do no harm.

Share article

May 24, 2021

Schneider Electric's intelligent patient room: need to know

2 min
We take a look at Schneider Electric's new smart patient room. 

Schneider Electric has launched a virtual showcase that features its new "intelligent patient room". What is it exactly? 

Who: Schneider Electric is a multinational that develops energy and automation solutions for many different industries - including hospitality, education, defence, and healthcare. Founded in 1836, today it is a Fortune 500 company, and it currently provides technology to 40% of hospitals around the world, among them Penn Medicine, one of the top hospitals in the US where Schneider's EcoStruxure for Healthcare is deployed, an IoT solution. 

What: Schneider has launched its Innovation Experience Live Healthcare Lab, an immersive experience that takes visitors through a demonstration of a hospital, including the doctor’s office, the operating room, and the intelligent patient room. 

The room features a digital patient footwall - a touchscreen that creates a single reference point for patients, families and healthcare providers, by incorporating care information, entertainment and environmental controls all in one place.  A separate digital patient door display has important information for healthcare staff. 

All Schneider's equipment is low-voltage, and integrated so that the patient room, clinical needs and IT are all seamlessly connected, what Schneider calls a digital “system of systems.”

Why:  Mike Sanders, Customer Projects & Services in Healthcare Innovation at Schneider Electric, explains: “The hospital of the future will need to put the patient experience at the forefront, using innovative and connected systems to provide superior in-hospital care experiences.” 

“With the shift to remote work and business brought forth by the pandemic, we knew that we needed to invest in a new virtual experience that showcases our vision for a truly integrated healthcare experience. We believe our intelligent patient room is the solution that our healthcare partners and customers have been looking for, and we’re excited to offer a way for them to experience it no matter where they are in the world.”

Where: The virtual experience was modelled after the new innovations installed at Penn Medicine in Philadelphia, the first real-world installation of Schneider Electric’s fully integrated intelligent patient room technology. It is currently being hosted at the company’s St. Louis Innovation Hub and Innovation Executive Briefing Center (IEBC) facility.  

Share article