- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Aaron F. Brantly is an assistant professor in the Department of Political Science at Virginia Tech and was a contributing expert on the Cyberspace Solarium Commission.
In the midst of the coronavirus pandemic, nations and their citizens are poised to learn more about the strength and resilience of their health-care systems, not only in their ability to provide treatment for Covid-19, but also in their ability to manage and maintain the confidentiality, integrity, and availability of health technology systems. These systems include electronic health records and medical devices. Existing diagnoses of national health-care system cyber resilience have indicated severe vulnerabilities and weak points. A recent unsuccessful cyberattack against The U.S. Department and Health and Human Services (HHS) highlights the need for a “patient-centric” approach to health-care cybersecurity. This approach would emphasize the security of patient data, patient safety, and cooperation between physicians, patients, and their families in the management of treatments, data, and medical devices.
Nearly every patient in the United States has an electronic health record as a result of rules established by the Centers for Medicare and Medicaid Services. These records are intended to be managed in line with the Health Insurance Portability and Accountability Act (HIPAA). Based on records from the HHS’ Office for Civil Rights, in the last eleven years more than 2,500 breaches, each impacting 500 persons or more, resulted in the loss of more than 175.5 million patient records in the United States. Analysis of the breaches indicates that nearly 98 percent of all breaches occurred via networked devices and data repositories.
Data and cybersecurity in medicine are anything but new problems. Rather, the data security of medical devices dates back to at least 1976 and the Medical Device Regulation Act and is examined on a recurring basis by both HHS and, in particular, the Food and Drug Administration. Yet, despite more than eleven major laws and dozens of regulations at the federal level and a bevy of legislation at the state level, extreme examples of health-care cybersecurity failures abound in the United States and globally. The issue of cybersecurity in health care is not limited to the management of patient records but is rather an ecosystem-wide challenge that plagues health systems at nearly every level.
For example, the May 2017 WannaCry ransomware attack launched by the North Korean-linked Lazarus Group severely impacted the provision of health services within the United Kingdom’s National Health Service and resulted in 6 percent fewer admissions than normal, including 4 percent fewer emergency admissions and 9 percent fewer elective procedure admissions. This is not a rare occurrence. There are indications that cyberattacks against hospitals and other health-care providers are increasing in severity and impacting the availability and quality of care.
The problem of cybersecurity within the health-care industry is multicausal. Hospitals, physicians, insurance companies, medical device manufacturers and other groups throughout the ecosystem are increasingly leveraging internet-enabled technologies. Very often these technologies and the software they run are proprietary and unique to each device manufacturer, hospital, and insurance provider. The custom nature of these products hinders cyber breach prevention and remediation efforts because updating them is often laborious, costly, and breaks interoperability across different platforms in a health system. When pacemaker vulnerabilities were discovered in the early 2000s, then-Vice President Dick Cheney had some of the features on his pacemaker deactivated.
This challenge is underscored in recent research by Palo Alto Networks indicating that upwards of 83 percent of all medical imaging devices run unsupported (out of date) operating systems. Conversations with imaging service providers suggest many are still running Windows XP, which hasn’t been supported since April 2014. This highlights a larger issue within the health-care industry, which is both simultaneously booming and being challenged by costs at various levels. Large financial outlays for devices force many smaller providers to use equipment well beyond its advertised end of life date. While this equipment remains functional, the underlying software exposes these and other devices within health IT networks to increased risks. Technological progress, such as the deployment of machine learning and artificial intelligence in products, including closed-loop insulin delivery systems and oncology treatment planning, will introduce new vulnerabilities.
Internet connectivity issues in technology-enabled care options also change patient and caregiver behaviors. In November 2019, a server issue caused the Dexcom Share Platform to go down in the middle of the night. Thousands of caregivers didn’t know they would no longer receive alerts if their patient’s blood glucose either went too low (hypoglycemia) or too high (hyperglycemia). Both of these conditions are potentially fatal. Consequently, caregivers who might normally sleep through the night relying on a digital system to inform them of changes in glucose were unable to do so, resulting in a diminished quality of life for both them and their patients.
Patient-centric approaches to health-care cybersecurity should focus on increasing transparency of how patient data is used and protected, ensuring interoperability of different health-care devices, and streamlining patches and updates to digital health systems. The FDA, HHS, and the State of California, among others, have made substantial strides in these areas, but much work is still left to be done. I endorse the recommendations made by the U.S. Cyberspace Solarium Commission, a congressionally authorized examination of U.S. strategy in cyberspace, for increasing the defense and security of cyberspace through resilience and public- private-sector collaboration. For health care, the recommendations entail increasing coordination between physicians, patients, health IT providers, and device manufacturers and giving patients and physicians control over their data and devices. This will reorient security concerns back towards those most vulnerable within the health-care system, the patients.