Recent lawsuits and media coverage have hyped the correlation between patient mortality and ransomware or cyberattacks. The sensationalized headlines serve to induce awareness, but are missing the point, explained Saif Abed, M.D., director of cybersecurity advisory services for AbedGraham Group during the opening keynote of the SCHealth eConference.
“That is the wrong question to be asking. I believe it's hopefully a very rare case where you can see a direct mortality, a death because of a cyberattack,” said Abed. “However, when you have a significant ransomware attack, you have hundreds of patients, potentially even more depending on the scale, who are having a morbidity impact… suboptimal clinical outcomes.”
In some cases, these patients are seeing “even negative clinical outcomes that don't involve death,” he continued.
For example, consider a situation where an emergency room is shut down and ambulances are diverted to neighboring hospitals that are already busy, especially amid the COVID-19 pandemic. If there’s a “suspected stroke patient, they have a three-hour window to bust the clot that's in the head.”
“During care diversion, they're seen in four or five hours because of delayed transport to a neighboring hospital. That could be the difference between making a full recovery and being half paralyzed for the rest of your life, or for a few years where you go through very intensive rehabilitative therapy. That is a negative clinical outcome,” explained Abed.
Consider the Elekta security incident reported earlier this year that resulted in a number of care providers having to delay cancer treatments, or the Southern Ohio Medical Center cyberattack that led to appointment cancellations, including those for cancer patients. If a cancer diagnosis is made a few weeks or a month later due to similar outages, it could change the diagnosis and treatment from stage two, instead of stage one, again “a negative clinical outcome.”
While the impacted patients may eventually make a full recovery or go into remission, those individuals have suffered from those care delays and the provider has now made greater interventions that wouldn’t have otherwise been needed.
There are multitudes of these types of use cases that the sector is not investigating enough.
“There are so many more people who have a morbidity impact rather than a mortality, orders of magnitude more than patient deaths,” said Abed. “And that is where clinical risk is at its most significant: we need to shift the conversation, focus on that, where there is mortality. It should be rare, and we should be investigating it to the nth degree. It should be forensic.”
Further, if there are mortalities, the events should be “just so unacceptable that the response is significant, at least in trying to clear up what happened one way or another.”
But the healthcare sector can no longer ignore morbidity under this current threat landscape because many patients are suffering from reduced care quality and outcomes, as opposed to mortality when it comes to ransomware attacks.
Understanding and accepting enterprise risk
While 2020 saw a wave of ransomware ransack the healthcare sector, with dozens of providers driven into electronic health record downtime procedures over the course of one month alone, the number of reported outages has significantly declined throughout the year.
From the outside, it could appear that cyberattacks have slowed and provider organizations have improved. But that’s simply not the case.
To Abed, there’s major confusion over the terms vulnerability and threat impact, which means it’s difficult to measure those key performance indicators. In short, the decline in reported downtime incidents caused by cyberattacks does not reflect a lessened state of threats.
As data consistently show, attackers can be lurking in the system and only causing downtime here and there “that isn't absolutely catastrophic.” Although ransomware attacks follow a set cycle, “pay me now, or everything is shut down,” IT events can often be attributed to something else even when a threat actor is the cause.
For example, a clinician on the frontline may notice a legacy IT system running slowly that causes them to lose the ability to check lab results or perform diagnostic imaging. But the actual cause may be an extreme threat like crytojacking, or the issue could be a botnet or an attacker “rooting around that isn’t very good at it” that results in some level of outages.
Those incidents may not cause full-on disruption, but “it’s affecting the healthcare provider’s ability to be efficient and effective at doing their job,” Abed said. The current media reports shouldn’t be read into as much on face value “because there's a bit more nuance in it.”
“The story of healthcare has been the word ‘silo.’ Silos exist in healthcare, even outside of the subject of cybersecurity. We all know the silos of IT versus clinical, IT versus biomedical engineering, IT versus security, clinical versus executive management, IT versus executive management: all of these silos are gradually being broken down,” said Abed. “But we're not really not there yet.”
“Anytime you have a silo, you have an asymmetry of knowledge, of information, and of transparency,” he continued. “It makes it much more difficult to coordinate any planning, let alone any response or recovery. That’s an ongoing challenge.”
Further, the industry should be aware, by now, that it’s a people- and process-based challenge, not technology, he stressed. “You cannot technology your way out of these particular problems. There are people and process issues, and they need to be addressed from the top.”
While it may cause a financial impact on revenue and billing, the prime source of concern for all organizations and their leaders should be care quality and patient safety.
“There comes a point where you have to understand the following: you have to accept you can't prevent everything,” said Abed. “You can't track everything, you simply probably don't have the resources to do it, even if the technology existed to do it. But what you can do is deal with the impact of an attack.”
“I'm not saying you should accept it as a foregone conclusion that an attacker will be successful in breaching your defenses,” he continued. But if they do and a provider has planned the response and recovery with compensating control mechanisms, the right processes, and have appropriately trained everyone on the frontline for those scenarios, “then yes, the attacker might get through and might attempt to encrypt your critical data, but you have response mechanisms in place to minimize the impact.”
In doing so, by the time a provider organization gets “the backups online, patient care should have remained at what could still be considered a safe and acceptable level,” even if fewer patients are seen and there are delays in care, or rescheduled appointments for nonurgent care.
Communicating the impact to management
Many healthcare leaders have noted challenges with conveying risk to leadership about the need for certain cybersecurity incidents to prevent these types of shutdowns. For Abed, security leaders need to speak in terms of costs of care disruptions, when dealing with executive management only concerned with the financial impact on the organization.
Clinical services disruptions often filter through executive leadership in terms of costs, which is also highly significant in nature. As such, patient safety and clinical services’ disruptions “are indeed the cornerstone of all ramifications to a healthcare organization, even if it ultimately translates on paper into a calculation around financial impact.”
Security leaders must work to educate executive management, engaging with the executive budget and becoming multidisciplinary in their security approach. Rather than talking about risk scores, threat alerts, and vulnerabilities, Abed stressed the need to communicate these issues in the right language.
“Executive management needs to be in a position to be educated in business language, about what cybersecurity is and what it means to the organization,” said Abed. “I barely use the word cybersecurity when I'm engaging with executive management, I talk about risk.”
“I make it clear, I say, 'Look, if the emergency room cannot function, is that bad for your organization?' If the emergency room is not functioning, it could be a natural disaster, it could be a ransomware attack, two different journeys. But let's start with the impact that they understand,” he added. “I guarantee everyone pays attention when you say, 'What if our cancer care services go completely offline? For whatever reason, let's work back from there.'”
Then shift into the cause, such as a ransomware attack, then ask how to address it and whether an investment needs to be made to prevent that kind of outcome within the care setting, he explained. The dialogue should be accompanied with use cases of these types of events happening to frame the argument in security’s favor.
At the end of the day, communication and threat sharing are critical across all members of the organization and through coordinated efforts with law enforcement and threat sharing groups. In working together, healthcare may expect to see improved cybersecurity posture in the future.