How close to we need to get to cybersecurity crisis in healthcare before we, as an industry take deliberative action?
Should we approach cybersecurity in healthcare differently? What approaches will work best? What commonly repeated advice about cybersecurity is actually wrong in healthcare settings? What ideas that would be effective in healthcare cybersecurity are being ignored? What is being missed from discussions about healthcare cybersecurity? What are we too concerned about? What threats do not get enough attention?
These might sound like rhetorical questions, designed to engage the reader before the author knowingly reveals the “answer”. Sadly, these questions are no rhetorical device. No one has definitive answers, and we all desperately need them.
I sit on the Health Care Industry Cybersecurity Task Force and we are currently taking comments on these issues on this blog post. I cannot to presume speak for the Task Force as a whole, and the comments below represent only my personal perspective on the issues involved. Right now the only thing that the Task Force as a whole is comfortable saying is “we are asking for advice”, which is the purpose of the blog post. If you have a reaction to the personal opinions here, please comment on the blog post so that the whole Task Force can hear what you have to say.
Generally, there are two types of issues that we would like advice on:
“What are the best practices and correct strategies to defend healthcare technology from cybersecurity attacks?” and “What is the best way for US government agencies to coordinate with the healthcare industry to respond quickly and effectively to cybersecurity threats?”
As you form your response to these questions consider your audience. All of the people on the Task Force have deep experience with cybersecurity inside the healthcare industry. Unless you feel strongly otherwise, we probably do not need any lectures on the basics of cybersecurity, or on how critically important these issues are. Believe us, we are all aware of how important getting “cybersecurity in healthcare” right is.
We are also reasonably well-informed about current events. We are watching with great concern as security researchers openly use an aggressive stock shorting strategy, rather than collaborating with the St Jude Medical Device company. We have seen the increasing number of ransomware attacks on hospital systems. We are also aware of the larger dramas at play in the cybersecurity world, as apparently even the NSA is not immune to compromise. Even as we do our best to plan, things appear to be getting worse.
I believe that the Task Force specifically, and the healthcare cybersecurity industry generally need contrarian advice. We need people who are not inside healthcare to talk about methods, ideas and approaches that we have not thought of. We know that all of us are much smarter than some of us. Rhetoric is not terrible useful here. Instead we need clear thinking, even if it is unpopular and counter-intuitive. How can any group attempting to allocate or plan cybersecurity responses at any level ensure that we are not blindsided by something that we should have thought of, but that none of us were clever enough to consider. Very frequently, critical insights like that do not come from the type of people who are typically appointed to government task forces or hospital planning committees. There are certain groups who might have a difficult time getting attention for their issues and ideas, which is why asking for comments on common social media platforms make so much sense.
What is the perspective on cybersecurity threats from healthcare providers who are under-resourced? Even well-funded and expertly staffed healthcare organizations are struggling to keep up with the gamut of cybersecurity threats. But what about those which cannot afford a CIO, much less a CISO with adequate staff?
What are the cybersecurity threats to the healthcare safety net? Some healthcare organizations who must choose between devoting resources to cybersecurity or patient care. How could a consortium of industry and government best help people making these kinds of difficult decisions? These are all impossible choices between patient care today, and patient safety tomorrow. We need to ensure that everyone can avoid that gordian knot, but how to do that with the limited resources brought to bear on this?
Congress has given special attention to cybersecurity in healthcare, precisely because they know that breaches, hacks and other cybersecurity incidents do not just impact healthcare service and product providers. If a drug company has its IP stolen, that could mean that a patient may never get a medication that might have made her feel better. If a hospital EHR is held hostage by ransomware that might mean that a patient’s allergy to penicillin is forgotten at the worst time. If a medical device manufacture gets DDOSed, that could mean that an implanted device might not function properly for someone whose life depends on it working all the time.
How can we best understand the implications or priorities of the individuals who will suffer the worst as the downstream result of cybersecurity threats to the healthcare ecosystem? If you or a loved one have special insights or specific concerns as a result of a cybersecurity issue, please let us know. If you do not want to use your real name for this, a Reddit or Twitter throw-away account is a great way to get in touch with us while still protecting your identity somewhat (You’ll be “somewhat“ protected at least… reddit/Twitter could be hacked too, but it’s the best anyone can do given the impromptu nature of this request).
I have very intentionally touched on multiple complex topics without even attempting to coherently discuss any of them. You will find that the comments on this blog post are turned off. That is not an accident, it is an attempt to shepherd discussion to a single point, which is found at this blog post, we are also hosting an AMA on Reddit/r/medicine, and we will be listening to tweets tagged with the hashtag of #healthcybersecurity. I expect we will also do something on Linked In. We are trying to engage the healthcare cybersecurity fully but also quickly, so please let us know what you think about these issues as quickly as possible.