The impact on health of cyber attacks
Even the most unlikely organizations can find themselves compromised due to a cyber attack. Consider the recent intrusion into Blackbaud, a third-party technology provider which specializes in maintaining fundraising databases for charitable organizations and other nonprofit institutions. This data breach affected a wide range of American nonprofits, from the Vermont Food Bank to the George W. Bush Presidential Center, but most critically, a number of nonprofit healthcare institutions, including Maine-based , Virginia-based , and Washington State’s .
Blackbaud has come under fire for its handling of the breach, , although . Although affected users were initially told that neither financial account nor government identification information had been taken in the breach, these statements were walked back during the week of September 27, and , on September 29, Blackbaud admitted that for some affected customers, fields for unencrypted bank account information, Social Security numbers, usernames, and passwords may have been accessed.
The cyber threat to the healthcare nonprofit sector is comparable to similar threats against financial institutions, utilities and their infrastructure, and the defense industrial base. No one in the age of COVID-19 can deny that healthcare is systemically important to the wellbeing of the people of the United States. Many hospitals and health providers did not realize that their donor management software had migrated to cloud-based services/backups, and a large number of them had never re-assessed their ongoing third party risk exposure or use of Blackbaud services as a vendor.
Hospitals have increasingly come under cyber attack in recent years. It is not difficult to understand an attacker’s logic in targeting hospitals and other healthcare providers, which necessarily collect personally identifiable information from their patients, in addition to financial information as intermediaries between physicians, payers, government agencies, and other providers of healthcare services.
A modern hospital contains numerous critical systems that require information and operational technology systems, which can be deliberately interrupted by a successful cyber attack. These structures and conditions make hospitals inviting sites for attempted intrusions, data breaches, and ransomware attacks. Hospitals aren’t just concerned about confidentiality - disruption of services from impacts to availability or risks to patient care stemming from data integrity failures can be immensely impactful.
The provides an even more recent example. UHS, whose network was compromised by what appears to be across approximately 250 UHS facilities in the U.S., should underscore the importance of improving defender performance. Phone systems went offline, laboratory and radiology records became unavailable, and ambulances and emergency services were forcefully redirected as the full extent of the cyber attack was determined.
as their IT systems are being evaluated and remediated (a task which is still in progress); however, even basic healthcare functions such as scheduling medication in these hospitals have been affected by this ransomware attack.
While ransomware has undoubtedly been a contributor to negative health outcomes for patients, there is sudden renewed debate over what situations and events might be deemed the proximate cause of harm. A recent attempt attributing a death to such an event was reported , a critically ill woman requiring transport to a different hospital after University Hospital Düsseldorf’s servers were frozen as a result of a ransomware attack, delaying her emergency treatment. Immediate coverage .
Regardless of whether such an event is legally culpable or not, there is evidence that medical performance degrades following at least some types of cyber attacks. In late 2019, researchers at Vanderbilt University and the University of Central Florida published which found that acute-care hospitals which experienced a data breach had a small but statistically significant increase in their 30-day acute myocardial infarction mortality rates in the three years following the breach.
They hypothesized that this increase was associated with the lengthier time from door to electrocardiogram for patients with suspected cardiac issues, on average a difference of 2.7 minutes. Current medical guidelines recommend that an electrocardiogram be acquired and interpreted within 10 minutes of arrival to minimize mortality.
From a cybersecurity perspective, however, the most troubling part of this study was the link made by the authors between the delay and stronger security measures put into place as part of the breach remediation process. Presumably with the best of intentions, remediation actions associated with a data breach had been transferred to an increased statistical risk in mortality among patients who had suffered an acute heart attack. This clearly is not an acceptable form of risk management for cybersecurity practitioners.
This is part of why a proven technique for risk management in hospitals –the Hospital Quality Assurance Committee or HQAC – needs to have a co-equal Hospital Information and Operational technology Quality Assurance Committee or HIOQAC.
Such a body is required to ensure that the generally poor state of hospitals and other providers information security is included in broader organizational governance and that improvement and remediation efforts, where required, are adequately integrated with established patient care and quality control considerations. Just like patient care, security is a continuous process of improvement and not a one-time transformation effort.
Especially in sectors which focus on the broader social good, such as charities, hospitals, and healthcare institutions, a cybersecurity solution must not compromise the essential function of that organization to the detriment of its clients. In fact, we should borrow a page from their book, and follow the precept of the ancient physician, Hippocrates: first, do no harm.