While it’s true that ransomware and other cyberattacks are highly targeting a range of U.S. industries, the impact and response to these security incidents in health care is far more complicated and has a direct impact on patient safety, said Christian Dameff, a physician at the University of California San Diego.
Dameff, also an assistant professor of emergency medicine, biomedical informatics, and computer science for UCSD and the medical director of cybersecurity for UCSD Health, spoke during a House Energy & Commerce hearing on the growing ransomware threat to critical infrastructure. His research centers around patient safety and care quality effects of cyberattacks, frequently presenting realtime scenarios on the risk posed by medical device attacks.
“I am here today to tell you health care is not prepared to defend or respond to ransomware threats,” said Dameff.
Health care needs the same technical controls as recommended by industry security leaders, he explained. These include multi-factor authentication and a focus on backups and system restoration.
But Dameff’s number one recommendation is to prepare for the inevitable ransomware attack, calling on all health care delivery organizations to practice paper processes without the use of technology in patient care. Hospitals and other providers should be able to accomplish that within two or three hours of an attack.
The idea is not new and is highly recommended by industry leaders. However, despite its importance and the growing risk to care delivery, Dameff explained there are a lot of hospitals in the U.S. that have not considered how these critical attacks could have on their systems and the potential impact to patient care.
Those same systems have not adequately prepared for a critical attack, nor how they would take care of thousands of patients without technology.
“That's the number one thing I would encourage most hospitals across the country to do now,” he stressed. “There's a framework for that at every hospital, and that type of preparation, at least at the beginning, doesn't cost a dime.”
In health care, cyberattacks can cause reputational damages and lost revenue, but there’s an even greater risk to patient care. And an attack on one entity can impact all connected hospitals, such as the recent cyberattack on Scripps Health in May that drove systems offline at multiple hospitals for more than a month.
Dameff noted how the attack left area hospitals overcrowded and struggling to keep pace with the influx of patient diverted from the downed hospital.
It’s simple to imagine how rapidly the impact could increase when it’s five or six hospitals down at once from a singular attack, he explained. Patients are going to continue to seek out care, particularly in emergency rooms, even when care is dramatically delayed or, even worse, care is diverted.
For Dameff, the risk cyberattacks pose to patient safety is clear within smaller, rural hospitals, where ambulances then have to transport patients for longer distances when care is diverted and the nearby hospitals are overwhelmed or there are no other local care sites.
“Our ability to diagnose a patient is tied to the technology that we use every day as clinicians: we are so dependent,” said Dameff. “You can imagine during a large ransomware attack, wherein these technical systems are no longer available, that we can’t do our jobs as clinicians.”
“The future of healthcare is not going back to the days of antiquated systems. In the future, we'll only be more technologically tied to the systems that we use, so that when it's not there, we can't do our jobs well,” he added. “It takes longer to get test results, to make decisions, to give things like antibiotics, and even identify severe infections or when patients have certain conditions.”
Although health care was previously reliant upon paper processes, Dameff is among the generation that often has no experience operating without technology. In the last 11 years, the Department of Health and Human Services' meaningful use effort to get all health care providers to use electronic health record systems has accelerated the digitization of health care.
That connectivity has fueled the expansive threat landscape, as the commensurate security needed to protect the increased connectivity did not occur, he explained. Thus, the sector is a “soft target” for cyberattacks and ransomware.
The COVID-19 pandemic further stretched the sector’s resources and demands, explained Dameff. Many providers have been left “juggling many different demands, of which cybersecurity is only one of them.”
In addition to preparing for these attacks, Dameff tasked the congressional committee with needed functions to support the health care sector — well beyond technical functions. To begin, research is needed on the effects ransomware attacks have on patient health, much like scientists study infectious and chronic diseases.
As it stands, most health care entities aren’t equipped with the means to measure or report the impact of cyberattacks. Dameff recommended the committee consider the development of standardized metrics to measure cyberattack severity on hospitals. Federal agencies like the National Science Foundation and the National Institutes of Health should prioritize funding for this type of research.
“Mandatory reporting of patient safety and care quality outcomes should occur for severe attacks,” he explained. “Identifying cybersecurity vulnerabilities before they are exploited will protect patients. There is currently a disparity between what I call the healthcare cybersecurity haves and have nots.”
“Lesser-resourced critical access and rural hospitals need help increasing their preparedness,” he continued. “As we seek to protect vulnerable hospitals, we must also avoid overly punitive measures for those unfortunate enough to fall victim to highly complex or novel cyber attacks, understanding that stiff fines or penalties may worsen an already devastating operational impact.”
Currently, there’s no clear method or function that would allow providers or even regulators to measure the impact on care or patient safety, he warned. And current systems used by hospitals to measure quality and patient safety are also digital and thus able to be impacted by ransomware, meaning there are no tools to accurately measure the impact on patient safety.
And as these “types of attacks are exceptionally chaotic” and many of the attack impacts happen at once, Dameff added that it’s nearly impossible for hospitals to report on the impact as they try to restore their systems.
Dameff also recommended the use of the software bill of materials (SBOM) to increase transparency around cybersecurity vulnerabilities. SBOM can help manufacturers and providers take more proactive steps to managing overall cybersecurity risks. There’s also an industry-wide need for ongoing support and legal protections for security researchers who engage in good-faith security research, or coordinated vulnerability disclosures.
Lastly, Dameff called on Congress to consider providing resources for resource-strapped hospitals in need of both proactive and reactive cybersecurity assistance, through funds or even industry expertise as trends show that network outages and recovery timelines have moved from just days, to often months.
The outage timelines don’t necessarily match with how well an organization prepared. Dameff explained it’s more frequently tied to the threat deployed or the adversary behind the attack. More research needs to be done into why it appears attacks and disruptions are increasing in sophistication and frequency.
“It's key that we incorporate cybersecurity training and preparation into the next generation of medical education that include paper,” said Dameff. “I do think that physicians should be trained to operate in conditions that do not have technology, or to rely on less connected technological backup as a stopgap measure for patient care.”
“Our hospitals today are increasingly dependent on technology,” he continued. “We have come to implicitly trust and rely on these systems, and when they fail, health care grinds to a near halt. We know ransomware attacks affecting the health care sector are increasing in frequency, sophistication, and disruptive potential.”