Highlighting the role of Cybersecurity in Health Care, wo perspectives published in the New England Journal of Medicine on Thursday argue that the health care industry needs to be better prepared for cyberattacks that could endanger both patients and health care providers.
Cybersecurity in Health Care
In one perspective, Eric Perakslis — former CIO and chief scientist at FDA and current executive director of Harvard Medical School’s Center for Biomedical Informatics — writes, “The privacy and security rules put in place by [HIPAA] have raised awareness of the importance of protecting personal health information and have provided a regulatory framework to encourage compliance — but compliance does not necessarily translate into security.”
Perakslis notes that within the health care industry:
- 72% of malicious cyberattacks have targeted hospitals, clinics, large group practices and individual providers; and
- 28% of malicious cyberattacks have targeted provider organizations, health plans, drugmakers and other entities.
“[I]n other words, health care delivery is being aggressively and specifically targeted,” Perakslis writes.
He argues that an “active learning approach” is needed “to make prioritized cyber protection strategies and tactics focused and successful.”
Specifically, Perakslis recommends several approaches to improving cybersecurity in health care, including:
- Active, real-time surveillance of emerging cyber threats, which could be used to inspire regulatory policy;
- Creating security without costly, burdensome compliance standards;
- Effective regulations that help ensure the reliability of medical devices; and
- Risk-based analysis and modeling that takes threats, risks and vulnerabilities of information systems into account.
He concludes, “Technology has unquestionably improved health care. Let’s be sure that its promised benefits continue to be delivered safely” (Perakslis, NEJM, 7/31).
‘Hacktivists’ and Hospitals
In another perspective, Daniel Nigrin — CIO and senior vice president of Boston Children’s Hospital — shares his hospital’s experience handling an attack by the hacker group Anonymous.
Nigrin explains that the attack lasted several weeks and ranged from social media warning messages to the hospital’s entire network being shut down.
However, he said that no patient was harmed and no patient data were compromised during the attacks, citing, “[a]dvance planning, well-trained and dedicated staff, the support of a multidisciplinary team, and the resources and expertise of the [Internet service provider] and third-party partners” as being key to the hospital’s success.
Nigrin argues, “As health care organizations push forward to further enable electronic health records … the potential effect of losing Internet connectivity is large, and the analysis required to understand that effect is complex.”
He recommends health care entities “protect themselves against direct attacks meant to disrupt operations” in addition to “safeguarding against the compromise of sensitive data.”
He concludes, “Health care organizations should strongly consider investing the time and resources in IT security systems and operational best practices to ensure that they are prepared to endure and defend against these new threats, if and when they occur” (Nigrin, NEJM, 7/31).