Cybersafety is patient safety—and it’s everyone’s job

Andis Robeznieks , Senior News Writer

With the Change Healthcare cyberattack causing huge disruptions to the nation’s health care system, cybersecurity was on top of the minds of attendees at the Healthcare Information and Management Systems Society Global Health Conference in Orlando, Florida, and sessions on cybersecurity were well attended.

This included programs featuring cybersecurity experts from the U.S. Department of Health and Human Services (HHS) who spoke about federal efforts and strategies for thwarting cybercriminals while sharing resources the agency developed in collaboration with private industry. 

Half the dues, all the AMA benefits!

  • Free access to JAMA Network™ and CME
  • Save hundreds on insurance
  • Fight for physicians and patient rights

Speakers noted that the two basic tenets of the HHS in this area are:

  • “Cybersafety is patient safety.”
  • “Cybersecurity is everyone's responsibility.”

“Resiliency” was cited as a subset of the second tenet and was mentioned so frequently that one speaker quipped that “resiliency is the new black,” playing on the phrase used to describe whatever is considered fashionable at the moment.

At the center of this collaboration is the Health Sector Coordinating Council, whose mission is to identify cyber risks and to develop guidance for mitigation. It was created in recognition that health care is part of the nation’s “critical infrastructure,” similar to water, energy, transportation and telecommunications. 

The council includes a Cybersecurity Working Group and the HHS 405(d) program that works to align health care industry cybersecurity practices.

“What that really has manifested itself into is a fantastic working partnership building resources to help educate and bring best practices to the health care sector for a wide range of audiences and stakeholders,” said Nick Rodriguez, 405(d) program manager. 

Nick Rodriguez
Nick Rodriguez

The Operational Continuity Cyber Incident checklist was among the resources highlighted by Rodriguez. The checklist provides a flexible template for operational staff and executive management to guide the critical first 12 hours of their response to a serious cyberattack.

“I want to mitigate to the extent that [the cyberattack] limits the impact to my patients, to my operations, to my data, all of those things,” La Monte R. Yarborough, chief information security officer for HHS, said. “And I want to make sure that resources are provided to those teams that have to effectuate those response and mitigation activities.”

La Monte R. Yarborough
La Monte R. Yarborough

The AMA has curated resources and has tips for physicians and health care staff to protect patient health records and other data from cyberattacks. The country’s largest Catholic hospital chain, Ascension Health, is reportedly dealing with the aftereffects from a major cyberattack that hit last week. 

Another resource is the 2023 edition of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” whose purpose is to “raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals.”

That HHS resource notes that health care organizations “need to make bold changes and significant investments” to defend their facilities. One strategy it recommends for this is a “zero-trust approach.”

This strategy involves building multilayer protections and ensuring that all devices and users are validated prior to being connected to the network, and it includes firewalls, physical security and employee training. This approach can protect against vulnerabilities created by staff using their own devices and cloud-based services and working remotely.

Yet, the AMA continues to advocate that many medical practices are challenged by a lack of resources and need financial and technical support to help strengthen their cyber security.

The document describes five top cybersecurity threats:

  • Social engineering.
  • Ransomware.
  • Loss or theft of equipment or data.
  • Insider, accidental or malicious data loss.
  • Attacks against network connected medical devices.

The document also includes 10 mitigating practices, which include: email protection systems, identity and access management, vulnerability management, network-connected medical-device security, incident response, cybersecurity oversight, and governance.

The governance guidance contained in the updated edition of the National Institute of Standards and Technology’s Cybersecurity Framework (also known as “CSF 2.0”), was cited as a valuable resource for establishing strategy and outlining supply-chain risk-management roles that can help prevent cyberattacks involving a breach originating in the system of an outside vendor.

While speakers emphasized the importance of having a cyberattack-response plan in place and backing up critical patient data, two physicians at a different session noted that regional responses are needed to address the challenges other institutions face when a neighboring system is shut down by a ransomware attack.

Jeffrey Tully, MD, and Christian Dameff, MD, recapped the findings from their JAMA Network Open study which examined how two San Diego hospitals had significant jumps in emergency department volumes and ambulance arrivals after four San Diego County hospitals (including three with stroke centers) belonging to a different health system were shut down by a ransomware attack.

They told how their institutions and others in the same situation could “experience resource constraints affecting time-sensitive care for conditions such as acute stroke.”

“Targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster,” the study says.