The Hippocratic oath, which requires physicians to “do no harm” in the name of medicine, should be re-drafted to include prioritizing the security of patient data. Consistent with the dumpster fire theme of 2020, the healthcare industry suffered its first fatality in Germany that was directly related to a cyber-attack. Tragically, this will be not be the last death.
In January 2020, the Department of Health and Human Services (“DHHS”) released an update on Ryuk ransomware explaining both its pervasive presence in healthcare systems and functionality. To DHHS’s credit, the update further issues a list of suspicious IP addresses, hashes, and provided 12 steps to attempt to prevent such attacks. In other words, DHHS gave all hospitals and healthcare providers a 12-step checklist of what the agency will be looking for in the event it must investigate a breach. And, any reasonably intelligent chief information security officer can search its network and memory for the malicious hashes and command and control codes published by DHHS.
Unfortunately, and also fortunately, health care entities too often think strictly as healthcare entities. They focus solely on diagnostic tools, pharmaceutical developments, insurance billing, and patient care. Once an acceptable scope of attention, this position fails to encompass the new wave of risks to patients: lack of data.
Think about the risks like this:
Imagine you check into a hospital for a time-sensitive surgery, trusting that your physicians and nurses reviewed your medical records and know your particular vulnerabilities. Your medical records note that you are extremely allergic to penicillin and latex. Surgery pre-op procedures go well, your spouse is comfortably sitting in the waiting room, and you just finished your consultation with the anesthesiologist. You are then wheeled into the sterile room, have the gas mask put over your nose and begin to count backwards from 10…9…8…unconscious.
At some point during the surgery, the hospital is hit with a cyber-attack and all electronic-based systems are down and your electronic medical records are inaccessible. Paper records are in the basement of another facility. Your surgeon is caught off guard, confused, and when he switches surgical gloves after attempting to restart the computers and press intercom buttons for assistance, he accidentally puts on latex gloves to finish the surgery.
Approximately 24 hours later, your incision area begins to develop a rash, then blisters, and you experience throat irritation. The e-medical records are still locked up and there are hospital teams retrieving paper records from off-site. However, in seeing your reaction a nurse becomes concerned that you have an infection and gives you penicillin. You become much worse as your reaction to the latex is compounded by your reaction to the penicillin.
This particular scenario was selected for this article because hospitals often put red bracelets on patients prior to surgery indicating allergies and I do not want to cause a panic or dissuade anyone from seeking medical attention. However, under different circumstances and allergies, the same life-threatening situation can and will eventually occur.
Prioritizing cybersecurity as a healthcare entity is not just about staying off the “Wall of Shame,” avoiding DHHS fines, and the frustration of data breach notifications. It is now about saving lives and ensuring quality patient care.
Hire a CISO or chief security officer and provide him/her with a team. While calm seas may not seem like they are proving their value, the opposite is true. A CISO and his team need the time and resources to constantly read and evaluate the applicability of DHHS alerts, twitter feeds, darknet traffic, and software platforms.
Ask your CISO if he/she read the Ryuk update. If not, it may be because he/she is being over-tasked and under-resourced. Start thinking like technology company and dedicate the appropriate resources to cybersecurity; patients’ lives may depend upon it.