“Is healthcare really bad at cybersecurity? Probably. It’s not just bad, it’s probably dismal,” said Christian Dameff, MD, an emergency room physician at the University of California San Diego Health, during his InfoSec World presentation on Wednesday, Nov. 10.
“There are so many hospitals and clinics in our country that we don’t have visibility into how bad it is, and glimpses into what the state might be only show us part of the problem,” he continued.
Dameff, aptly dubbed “Doctor Hacker” is the first known medical director of cybersecurity in the U.S. and an assistant professor of emergency medicine, biomedical informatics, and computer science for UCSD. He and his colleague Jeff Tully, MD, have been faithfully sounding the alarm on the patient safety risks posed by cybersecurity long before the current media trend.
His firsthand experience as both a white hat hacker and an emergency room physician give him a unique view on healthcare’s blindspots and overall risks to patients and hospital operations.
In short, the healthcare cybersecurity conversation needs to shift into a regional perspective, focusing on the hyper-, interconnected nature of the sector, rather than broad strokes that can’t be easily applied to smaller or regional provider organizations. There’s also a need for mandated cybersecurity standards able to address the current threats.
For Dameff, that would enable the entire sector to raise the bar on its cybersecurity defensive posture without leaving any provider straggling behind.
“It's very difficult to actually have consistent risk analysis across institutions, across people,” he said. “Really, it's just people's best guess. And it's so much dependent on how much they understand about clinical workflows.”
“We’re making a lot of investments on healthcare cybersecurity that don’t really reduce our patient safety risks, and so we’re spending money in places we shouldn’t,” he added. “But I do believe we’re slowly changing.”
One organization’s attack is another’s burden
Despite ongoing progress and heightened awareness, one of the sector’s greatest shortcomings is its failure to treat ransomware and other cyberattacks like disasters. It’s a serious blindspot considering the impact of ransomware on hospitals “can be almost as devastating as a power outage, an earthquake, or a nearby wildfire.”
And yet, many providers keep tackling cybersecurity as a technical issue.
“What emergency medicine has taught me is that it's organized chaos,” said Dameff. “There's a lot that we can learn in emergency medicine, from the world of incident response and cybersecurity and vice versa. There are a lot of things we can learn in InfoSec from disaster medicine.”
The May ransomware attack on Scripps Health provides clear evidence of the rippling effect cyberattacks can have on the healthcare sector. Dameff previously spoke with Congress on the impact the attack had on regional hospitals. For InfoSec World, Dameff shared both anecdotal and data evidence to illustrate the causal effect.
Scripps has four hospitals on five campuses, which experienced one month of downtime and intermittent system outages after the attack. During that time, local hospitals like UCSD Health faced a “spillover effect” from the ransomware attack.
Dameff did not have data from Scripps on the attack’s impact, instead his team examined what happened to two local hospitals in close proximity to Scripps during the outage, which included three different patient populations. To be clear, the providers were not infected with ransomware themselves.
During the first week of downtime, the data showed a 50 percent increase in the number of ambulances arriving at the hospitals in proximity to Scripps amid its outage. Dameff noted that the number of ambulances arriving to the nearby hospitals doubled and remained at those high volumes over a number of datas.
“If your facility is used to receiving 60 ambulances over two hospitals in a day, and all of a sudden you have to see double that amount, it’s a huge resource strain on the emergency department,” he explained. “ Your beds fill up, your waiting room wait time increases.”
In the initial days of the attack, the amount of patients visiting the emergency department rose by 40% in volume overnight, and “you can’t staff for that. The consequences are the waiting rooms fill up, the amount of time for providers to see patients goes up, and the time it takes to get test results back or an X-ray done goes through the roof.”
What’s more, the data only includes the spillover effect and does not detail at all Scripps’ care sites during the outage, nor the impacts on care quality and patient safety.
How did we get here? Long-standing evidence of risk, failure to act
Long before the ongoing ransomware attacks and proliferation of data extortion attempts, the “canary in the coal mine” kickoff event was the wave of ransomware attacks that began with the cyberattack on Hollywood Presbyterian in 2016. Attackers demanded $3.4 million to unlock the system after encrypting the network with ransomware.
“Anecdotally, the intensive care unit is the place in the hospital where the sickest patients tend to be cared for,” explained Dameff. “The doctors that cared for these patients during this ransomware attack on the hospital were reported to be so concerned about their ability to care for these patients that they wanted to transfer them to other facilities.”
Further evidence of security failings can be seen with the success of ransomware attacks and threat actors hacking critical infrastructure hospitals, even in early 2014 with Anonymous attacking Boston Children’s Hospital and the 2017 WannaCry incident that shut down the majority of the U.K health system.
For Dameff, it feels as if the lessons learned during WannaCry and these early events “were not heeded and we’re paying for a lot of that now, specifically with a lot of the targeted ransomware attacks of hospitals.”
Early evidence of risks can be seen with concerns about implantable pacemakers’ AICD security vulnerabilities, truly showing what the potential risks to patient safety could be from connected implantable medical devices, explained Dameff. There was also Jay Radcliffe’s research on hacking vulnerable insulin pumps to deliver harmful amounts of insulin.
Further data was seen with Hospira vulnerabilities found in 2015 that led to the Food and Drug Administration’s first recall of a medical device for a cybersecurity reason, due to concerns about the delivery of appropriate doses and medication through a patient IV.
Despite continued demonstrations on how cybersecurity failings could impact care operations and patient safety, vulnerabilities persist and many entities are still failing to properly implement a response plan able to better maintain operations during an outage.
Why is healthcare bad at cybersecurity?
Cybersecurity in healthcare may be very technical, on the day-to-day, but in its essence, it supports patient care, he explained. In fact, a lot of what we do in our day-to-day operations in cybersecurity or information services, or whatever capacity you work in healthcare is to facilitate and accelerate hyper-connected, technology-dependent healthcare.
This technology that we deploy is saving thousands and thousands of lives by increasing efficiency, access to information, and allowing us to apply evidence-based decisions to the care of our patients.
“It's not that I'm opposed to it,” said Dameff. “We went a little too far and didn't consider the security implications to the technology that we've deployed. That doesn't mean we can't fix that moving forward. But we need to be cognizant of that, so we don't continue to make the same mistakes.”
Dameff identified a number of reasons for the sector’s overall cybersecurity shortcomings, which stem from complicated, locally dependent workflows. For example, the clinical care settings in rural Idaho versus Los Angeles are vastly different, which means it’s difficult to benchmark and determine the actual state of cybersecurity in the U.S.
The regional, care setting, acute conditions, and resource differences mean that it’s not feasible to reproduce a successful cybersecurity program from one care site to another hospital setting. There are also variances within specific organizations to consider, such as the various training levels and access permissions of employees.
“For example, when I care for a patient in the emergency department, and they're having a stroke, I don't have time to reliably deploy multi-factor authentication before I order some potentially life saving medications or order a CT scan,” said Dameff.
“It's very different from many other industries, wherein we are very trusting of our user base and have to be because the disruptions in workflow can be quite dangerous to patient care,” he continued.
The technology complexities also contribute to the ongoing challenges with most health providers leveraging dozens of system types, from EHRs to Picture Archiving and Communication Systems (PACS), to multiple categories of medical devices from different vendors.
One single institution can leverage devices operating on embedded Windows XP at one end of the hospital, with another department using cutting edge robotic surgery devices that cost millions of dollars. As Dameff put it: “there’s a disparate, Frankenstein monster” that makes it difficult to truly fathom the difficulties organizations face.
Severe resource constraints pose further unique challenges. While some hospitals have marble floors and plants in their waiting rooms, there are other poorly resourced, critical access hospitals that truly don’t have the resources to adequately defend themselves from cyberattacks.
Healthcare costs are massive with typically thin margins, with some hospitals running in a repeated yearly deficit, he explained. “There's a huge amount of regulatory pressure and uncertainty in the finances of healthcare that can lead to very unpredictable revenue streams.”
“As a consequence, sometimes hospitals are in a very difficult position on how to strategically position themselves and spend resources, especially when they have to make very hard decisions,” Dameff continued.
Many of these low-resourced providers struggle with whether to install that new MRI machine, or to install MFA across the enterprise, he explained. “Should you pay down your security then, or push out new features? These are the real hard decisions that hospitals across the globe are facing that make this particularly difficult.”
As recently noted by other stakeholders, the sector is primarily aware that many of these projects are indeed needed to move the security needle. But when the budgets are these, some are also faced with a talent pool competition that can make it difficult hiring the staff needed to effectively implement these projects.
“The cyber haves and have nots are very real,” said Dameff. “Until we recognize that there's an interconnected regional impact of cyberattacks, we're not going to be able to really change. Another very clear problem is that incentives are not aligned.”
“One of my main criticisms of our current paradigm is that we allow HIPAA fears, HIPAA fines, and the wall of shame to drive a lot of our decision making instead of a more important and long-term approach of using patient safety as the main driver for cybersecurity,” he added. “This is very evident in how we experienced the post breach or ransom environment.”
For too long, healthcare has been entirely too reactionary to data breaches and ransomware, instead of assessing their practices ahead of falling victim to incidents with a proactive approach, he explained. Healthcare is in the business of risk and “total mitigation is not possible.”
Dameff stressed that fundamental changes are needed in how the sector approaches cybersecurity if it hopes to ever make real, meaningful change.