The COVID-19 pandemic has been the greatest public health emergency in the last century. But we now are at the precipice of another public health crisis–the impact of the increasing frequency and severity of cybersecurity breaches. This is a universal concern as virtually all of healthcare, from remote clinics to major research institutions, is now on a connected digital platform that is regional, national and international.
Cybersecurity breaches on healthcare organizations and patients usually involve the theft of personal health information, personal identity information as well as ransomware and the potential to hack and control medical devices. While other threats to operations, such as storms, can be foreseen days ahead of time, cyberattacks are sudden, immediately disruptive, may be massive in scope and often are the work of organized groups with malevolent intent. They may lay dormant in systems for extended periods before being triggered by some seemingly innocent activity.
The ramifications of these breaches for healthcare organizations and patients are dire. The recent ransomware attack on Scripps Health shut their systems down for over two weeks and overloaded neighboring hospital emergency departments and specialized care units with diverted patients. Compounding this dynamic are cyberattacks on other critical sectors like electricity, water purification systems, communications and emergency services that can indirectly produce significant patient-safety issues. The clinical implications from upstream breaches reinforce the concept that cybersecurity for all critical infrastructure sectors is essential to ensure delivery of care. If we don't significantly enhance our preparations for this risk now, we will repeat the disorganized COVID-19 response during early 2020.
The recent ransomware attack on the Colonial Pipeline Co. is an example of the unanticipated downstream effect on healthcare of a ransomware attack on the energy sector. Although loss of electricity is normally the first energy concern with this sector, a shortage of gasoline because of the effect on pumping and delivery can have an acute impact on ambulances, other care delivery vehicles, commuting hospital staff, patients, and trucks bringing supplies. This was experienced in the New York area after Superstorm Sandy in 2012.
As the single largest share of the national economy, healthcare is could be affected by a cyberattack in almost any other critical sector, and they in turn could be affected by a healthcare compromise. Large attacks on the food supply chain could potentially cause major food shortages, which would also affect the most vulnerable. The transportation sector is also a critical link in our just-in-time economic model. This would be exacerbated by a cyberattack shutting down port operations and cutting supplies from global supply chain sources.
A major attack on our water supplies would have massive impact, not only limiting care delivery, but also increasing the need for medical care as the public turns to fewer safe sources of water. Denial of service attacks that overwhelm the 911 system can cripple the emergency services sector, resulting in the inability to respond to medical emergencies. Loss of phone communications, which are now primarily Voice Over Internet Protocol in hospitals, could disrupt internal and external hospital communications.
These are only some examples of how other critical infrastructures are intertwined with healthcare. The solutions for mitigating weaknesses in these interdependencies are neither easy nor guaranteed, but as with all problems the first step is to admit there is a problem. The healthcare industry, including leaders at providers, pharmaceutical and medical device companies, supply chain companies, and the government need to intensify their efforts to jointly develop a constantly evolving strategy to address these vulnerabilities.
Healthcare organizations currently do a hazard vulnerability assessment yearly, but they are based on a single event such as a hurricane, wildfire or pandemic. These need to be reconsidered with the compounding impact of cyberbreaches resulting in either loss of data or secondary effects from other sectors. We must think broadly given that healthcare organizations are no longer siloed from each other or from other sectors of the national infrastructure on an increasingly integrated digital platform. This change in mindset and commitment to escalating the importance of this imperative needs to be reinforced as the tempo and sophistication of attacks escalates, lest we be at the mercy of both criminal groups and nation states.
There are already several venues for private/public partnerships that are building the needed resilience. This year is the 25th anniversary of the national InfraGard program–a private/public partnership with the FBI involving cross-sector discussions and information sharing on threats and remediations. Similarly, there is robust private/public cooperation among the many sector coordinating councils, including the Health Sector Coordinating Council, representing critical infrastructure owners and operators, trade associations, industry representatives, with their Government Coordination Councils counterparts for each SCC. These groups, supported as trust partnerships by the Department of Homeland Security, meet frequently to proactively protect our critical infrastructures with tactical, operational, strategic and policy tools.
It is imperative that all in the healthcare sector join these types of partnerships to both stay informed and to contribute. Cybersecurity is not just an information technology problem, but one that can directly impact the care that is delivered daily across the country. It is our professional responsibility to be engaged.