In the wake of the recent WannaCry and Petya attacks that have hit healthcare organizations worldwide, a group of Boston researchers is urging the industry to consider the public health implications of cybercrime.
The researchers — two physicians and an information security professional — outlined their concerns in a perspective piece published in the New England Journal of Medicine. The group cites a Ponemon Institute survey in which nearly 90% of participating healthcare organizations said they have suffered a data breach in the past two years as proof that cyberattacks in the healthcare industry are a growing and prominent threat.
Potential threats to healthcare information security
Some of the threats to the industry include denial of service attacks and ransomware, such as the WannaCry and Petya attacks. Both forms of attacks had public health implications as they could impair a healthcare organization’s ability to deliver efficient care, the group said, but they stopped short of exposing patient data.
If patient data is exposed, however, a cyberattack becomes more worrisome. One of the major public heath implications of such an attack is that protected health information is “durable” unlike, say, a credit card number that can be changed if the card is stolen or lost. However, medical history can be used to identify a patient years after the initial data breach, the researchers said.
Attackers could also manipulate patient data, such as potassium values, which could cause serious harm to patients’ health. Similarly, attackers could manipulate clinical systems like medical devices.
How organizations can reduce risk
While the researchers acknowledged that the challenge of protecting the healthcare industry from the rising number of threats is “complex” and that although there is no “silver bullet” that can stop all attacks, there are things organizations can do to reduce their risk.
Healthcare organizations should use best practice security procedures such as software update and data encryption, as well as do frequent backups. Improving password security by requiring frequent password changes can also help keep attackers out of a hospital system.
Finally, educating healthcare professionals about how attacks occur — such as clicking a malicious link in an email — can help reduce risk as well.
The researchers’ comments echo those of the Health Care Industry Cybersecurity Task Force, which called healthcare cybersecurity a “public health concern” that required “immediate and aggressive attention.” The task force outlined six imperatives to address the public health implications of cyberthreats, including improving awareness and education and developing a workforce that prioritizes cybersecurity.