By Seth Carmody
This isn’t theoretical anymore.
The global pandemic has accelerated the number of devices deployed to operate outside of the hospital walls, providing remote patient monitoring and telehealth. This has expanded healthcare’s attack surface resulting in healthcare experiencing more attacks . But has this increased attack surface hurt patients? Tying adverse clinical outcomes to security events is hard . Security events such as ransomware typically result in disruption of operations, news of redirecting emergency vehicles and doctors resorting to pen and paper during cyber attacks are prevalent. Disruptions to operations create other issues and delays in care can result in patient harm therefore it wouldn’t be a stretch to postulate that security events have had negative patient outcomes. However, despite numerous ransomware reports, no direct link of a security event to a patient death had been observed until September 2020 where the first patient death linked to ransomware-induced by delay of care was reported. The hospital was unable to take in emergency patients because of the attack, and the patient was redirected to another hospital 20 miles away.
Why is this the first reported case of patient harm? For medical devices, an outdated regulatory model and lack of data due to limited logging capability and monitoring of devices, are reasons why it is so hard to confirm the relationship between a cybersecurity event and patient outcomes. This limited data also makes it difficult to establish a baseline of security requirements that would be sufficient for medical devices. These technologies serve a critical clinical purpose but underserve security; why?
State of the healthcare industry - why cybersecurity isn’t prioritized effectively
The tension between healthcare and security is rooted in the fact that healthcare’s first job is to deliver healthcare. Therefore technologies built to serve healthcare are built primarily to deliver on healthcare features, not security features, like monitoring, that would help connect security events with patient outcomes. As a result, the healthcare industry accrues security debt yet paradoxically, healthcare must also deliver healthcare securely because any lack of security threatens the ability of the healthcare ecosystem to function. This tension must be resolved for any additional progress to occur.
Current attempts to incentivize security economically include HIPAA. However, the incentive is fine based and focuses, not on security debt relief, but on the management of the risk that security debt brings. However, data shows that breaches are increasing, in other words, we’re not any better at security, why? Because the hospital is the least empowered to reduce security debt from the technology it must consume to deliver healthcare. Some efforts tried to tackle leveraging economic incentives by enforcing security requirements before technology is purchased. While these efforts have catalyzed some progress, healthcare’s priority is healthcare therefore, limiting clinical technology purchases because of security debt is necessary yet insufficient.