Cybersecurity in healthcare: A matter of life and death
With healthcare information technology now pervasive in the industry, it’s crucial to understand the surge of cyberthreats and how they threaten patient safety.
The intersection of healthcare and technology has paved the way for unprecedented advances, fostering efficiency and innovation. Yet, as we delve deeper into the digital realm, we expose healthcare to an escalating wave of cybersecurity threats.
These incidents pose a profound risk, penetrating beyond the realm of privacy concerns to directly jeopardize patient safety. Now more than ever, the healthcare IT community must recognize and confront this reality. Cybersecurity is not just as a technical issue, but it’s a matter of life and death.
Understanding the current landscape
The modern healthcare IT ecosystem is a complex web of interconnected systems, devices and data flows, offering ample targets for malicious actors. Cybersecurity incidents, including phishing and ransomware attacks, are rapidly escalating in frequency and sophistication.
Check Point Research found that in 2022 healthcare organizations in the US suffered an average of 1,463 weekly cyberattacks per organization, a 74 percent increase over 2021. These attacks are no longer rare occurrences but ongoing threats. And as of this June, Mandiant Threat Intelligence reported 114 threat actors currently targeting the U.S. healthcare industry.
Sun Tzu taught us that understanding the enemy is the first step toward devising strategies to defeat it; for healthcare organizations, the stakes could not be higher. The healthcare IT community must comprehend these threats' nature and pervasiveness within the ecosystem to effectively protect patients.
The ramifications of cybersecurity breaches are no longer confined to data loss and financial impact. They trespass the boundary to inflict a far more severe toll on patient safety.
A seminal survey conducted in 2018 by researchers at UC San Diego underscored this, finding that as many as 1,000 patients suffered harm from cybersecurity attacks on healthcare delivery organizations involving ransomware, malware or an attack on an electronic health records system. Similarly, a 2023 Ponemon Institute study connected the dots between ransomware attacks and patient safety, underscoring how these incidents can paralyze healthcare services, leading to potentially life-threatening situations.
These incidents are not hypothetical risks – they are harrowing realities that unravel the disturbing impacts of cybersecurity breaches on patient safety. The healthcare community must ensure such incidents become exceptions rather than the norm.
Medical device vulnerabilities
In the healthcare sector, implantable devices have emerged as silent potential vectors of cyberattacks. As these devices gain connectivity and advanced functionalities, they unwittingly expose patients to the threats lurking in the digital shadows.
A 2022 study by Palo Alto Unit 42 looked at 200,000 infusion pumps and identified more than 40 different vulnerabilities and in excess of 70 different security alerts among the devices, with one or more affecting 75 percent of the infusion pump devices analyzed.
This data highlights the fact that cyber threats can affect more than just data; they can compromise the devices that keep patients alive. It's a wake-up call that demands urgent action.
The specter of cyber threats looms over data and medical devices, and casts a long shadow over medical imaging and diagnostics. A groundbreaking study from Ben-Gurion University demonstrates this stark reality by manipulating medical images using artificial intelligence techniques.
By adding or removing signs of medical conditions from CT scans, researchers could generate false positives or negatives, leading to fictitious diagnoses. The potential implications of such manipulation are truly chilling – patients might undergo harmful, unnecessary treatments, or life-threatening conditions could be overlooked.
The healthcare IT community must recognize this invisible danger. It's not just about safeguarding data or devices; it's about protecting the integrity of diagnoses, the foundations of treatment plans.
Implications of incidents on patient safety
In untangling the web of cybersecurity threats, we also must consider their broader implications. Beyond immediate disruptions, these incidents cast a long, often unseen, shadow over patient safety.
The 2019 study by Choi et al. highlights this, suggesting an unsettling increase in patient mortality rates after cybersecurity breaches. That’s likely because breach remediation efforts were associated with deterioration in the timeliness of care and patient outcomes.
Additional resources, like the 2021 study titled "Cybersecurity in Healthcare: A narrative review of trends, threats and ways forward," spotlight cybersecurity as a formidable healthcare hazard, stressing the risks from individual patient harm to large-scale public health crises. It's a sobering reminder of the far-reaching consequences of cyber threats.
The mission of healthcare IT is clear – prioritize patient safety, confront cybersecurity challenges and heed these calls for attention. The response cannot be static in this ever-evolving landscape of cyber threats. It demands proactive measures, regulatory support and leadership to enforce robust cybersecurity practices.
Inculcating a culture of security awareness, prioritizing investments in cutting-edge cybersecurity measures and developing comprehensive security programs are no longer optional — they're mandatory. Emerging trends and technologies must be harnessed to bolster defenses. The path may be fraught with challenges, but the cost of inaction is too high.
Cybersecurity in healthcare is a battle we cannot afford to lose. The digital realm in healthcare, ripe with promise, also brings perilous threats. These threats transcend the boundary of data and finances to penetrate the sanctum of patient safety. The healthcare IT community must safeguard patients against the invisible yet potent danger of cyber threats, ensuring that systems and devices, which are designed to preserve life, don't become conduits of harm.
Jon Moore, JD, MS, HCISPP, is chief risk officer and senior vice president of consulting and customer success for Clearwater.