Could International Cyber Conflicts Really Reach U.S. Healthcare?
Could the cyberwarfare erupting around international political and military conflicts really introduce into U.S. healthcare and affect patient care organizations in this country? In a Perspectives article in The New England Journal of Medicine online, Eric Perakslis, Ph.D., analyzes that very question. His article, “Responding to the Escalating Cybersecurity Threat to Health Care,” was published on Thursday, Sep. 1.
Perakslis is the chief science and digital officer and chief research technology strategist at Duke University. He opens the article by writing that, “Less than a month after Russia’s horrific invasion of Ukraine, U.S. President Joe Biden issued an unprecedented warning to all critical infrastructure sectors in the United States to prepare for cyberwar.1 Since then, we have observed an ongoing and escalating cyber conflict that so far has not spilled over significantly into critical medical infrastructure. Are we ready if it does? Indeed, do most health care professionals even know what cyberwar is and how it differs from “ordinary” cyberattacks? And how should clinicians and administrators interpret or respond to these warnings?” he asks.
Further, he writes, “Although it lacks a universally accepted definition, the term ‘cyberwar’ typically describes politically motivated attacks aimed at sabotage or deliberate attacks on information systems for strategic or military purposes. In cyberwar, the intent is to create disruption and destruction — by disabling a power grid, for example, or contaminating a water supply with raw sewage. These attacks are organized, physical, and multidimensional; furthermore, there is no opportunity to pay ransom to alleviate the attack, as there is with ransomware.”
And, he notes, “The president’s warning comes at a time when the cyberthreat to health care has never been greater. In 2021, the American Hospital Association reported 36,241,815 hospitalizations in the United States2; during the same period, 40,099,751 medical records were stolen, according to federal reports.3 Beyond theft, attacks that disrupt clinics, cause patient diversion, or bankrupt physician practices are all on the rise.”
“Fortunately,” Perakslis writes, “clinicians can protect themselves and their patients from the worst of these attacks, in part by means of precautions and preparation. Clinicians should advocate for limiting the number of Internet-connected devices within their practice settings. The ‘attack surface’ of any clinic is the total number of potential access points for an adversary, which includes Internet-connected devices, accounts, networks, websites, software applications, and patient portals. Removing unnecessary Internet connections can lower the threat level geometrically. Doing so is especially critical at times of increased threat, such as an ongoing cyberattack at a nearby medical center. It may sound simplistic, but one of the most common recommendations made by the Cybersecurity and Infrastructure Security Agency (CISA) during times of increased threat is to disconnect from the Internet as much as possible.”
And, on a practical level, Perakslis writes, “Health care facilities need working maps of essential systems, and those systems must be adequately protected or isolated from the Internet and Internet-connected systems in ways that limit the proliferation of malicious software. In cases in which physical isolation is not possible, secure application or manual workflows can be developed and validated and staff can be trained on these fallback procedures. The best way to determine and develop risk-stratified resilience is to conduct drills and to practice. Clinicians must be educated and prepared for cyber events just as they are for physical scenarios such as fire, active-shooter incidents, and local medical catastrophes.”
Perakslis believes that every aspect of connectedness must be examined and analyzed, and that the key data- and systems-security objectives for medical practices must be “availability, integrity, and confidentiality.” Among the elements he believes to be essential will be an incident-response process that begins “the instant a cyberattack is respected.”
Among other elements, Perakslis itemizes the detailing of critical systems and users and the development of policies and lists of contact information for training and patient-vulnerability assessment. Importantly, he urges, preparation cannot be seen as simply the responsibility healthcare IT leaders and their teams. He details the process of containment that must take place in every patient care organization, one that includes the removal of all malicious code, the comprehensive testing of backup and recovery procedures, and, in advance, the backup and recovery of critical systems.
He concludes by noting that “The potential exposure of health care infrastructure to cyberattack presents a grave threat to clinical systems and to patient well-being — a threat that is becoming increasingly severe. However,” he states, “by educating and training clinical staff in cyber-incident response and preparing them to participate actively in countering a cyberattack, hospitals, clinics, and health systems will be able to actively mitigate and reduce the harmful effects of any acute cyber event.”