Healthcare still needs to change the prescription for cybersecurity
No more maybes. It happened. England’s National Health Service reviewed the ransomware attack against a blood testing provider that disrupted care at a number of NHS hospitals in London last June and linked the incident directly to a patient’s death. They found that delays in critical blood tests caused by the cyberattack were a contributing factor in the death.
Cyber attacks have been linked to patient deaths before, but never with certainty -
A 2020 ransomware attack on a Düsseldorf University Clinic in Germany led to a patient in urgent need of medical attention being rerouted to another city for treatment, and she died before receiving treatment. While this was alleged as a death linked to a cyberattack, an investigation concluded it was an indirect factor.
A lawsuit alleged a 2019 ransomware event at Springhill Medical Center in Alabama contributed to the death of a newborn baby, because critical monitoring tools were not available, leading to severe birth complications.
A University of Minnesota School of Public Health study suggested that ransomware attacks contributed to the death of 42 to 67 Medicare patients between 2016 and 2021 in the U.S.
To my knowledge, this is the first time an authoritative review has reached this conclusion in a specific case.
I am hyper-attuned to stories about ransomware in hospitals, since that possibility kept me awake every night as a healthcare CISO, but it seems there is a new event reported almost every week. It also seems that the first public statement made in these hospital ransomware attacks is something like, “Patient care is not effected.” Sorry, but that is just not true. Physicians, nurses, and other clinical staff make heroic efforts to continue to care for their patients, and patients may not be directly harmed, but patient care is absolutely impacted.
Rerouting of ambulances, rescheduling of cancer treatments and surgeries, the management of hospital beds, imaging, access to patient records and test results, ordering of prescriptions, supply chains, and many other key activities utilize IT systems and data. If those capabilities are suddenly and unexpectedly taken away, how can they not have an impact? When the heroic efforts of the care givers extend for weeks, the impact can also grow.
My hope is this unfortunate NHS incident is a clear bell to hospital leaders. Everyone agrees that cybersecurity is important, but I speak with healthcare CISOs every week and still hear too many cases where it doesn’t translate to appropriate action. A cyber attack on a hospital or clinic is not an “IT thing,” or an annoyance that can be addressed by using cyber insurance to pay a ransom. It has become a fundamental part of patient care and patient safety.
Some key lessons for hospital leaders and boards:
Cyber risk is an enterprise risk, alongside traditional clinical and operational risks.
Cybersecurity strategies should be woven into patient safety planning and frameworks.
Cyberattacks are not measured in hours or even days. Incident response and business continuity plans need to be revamped to account for multi-week outages and the associated impact on staff and business processes.
Business Impact Analyses need to include interdependencies between systems to anticipate cascading failures in a cyber attack.
Practice, practice, practice – tabletop cyber exercises and clinical downtime procedures to ensure the staff are familiar with how to respond.
Scrutinize vendor security - third-party vendors provide critical IT services, medical devices, and other operational needs and should meet the standards you set for in-house systems. They should also be part of your tabletops and other practices.
Top-down leadership – the priority and tone are set by the CEO and the board.
When a patient goes to a hospital, they trust that team in what may be one of the most vulnerable moments of their life. Healthcare leaders need to earn that trust by making cybersecurity a priority part of safeguarding patient lives.
Hold Fast
Stay True