May 17, 2018 - A growing number of reports list healthcare as the most targeted industry for cyberattacks. The reasons for this are many. Health and medical data is valuable to hackers and bad actors – unlike a credit card, patients cannot cancel their medical records and be issued a new one, for example. Also, the nature of data and information sharing in the healthcare sector differs from other targeted industries like the finance and telecommunications sectors, with many different providers and practitioners requiring relatively easy access to patient data in order for care to be delivered quickly and safely. For reasons like this, ransomware and malware attacks in the sector are skyrocketing. Ransomware attacks on healthcare increased 89% from 2016 to 2017. Indeed, the first cyberattack Healthcare Ready activated for was the WannaCry ransomware attack last year.
As an organization dedicated to strengthening the preparedness and response capacities of healthcare and public health, cybersecurity has necessarily become a part of our portfolio. And while we were tracking issues related to cybersecurity even before WannaCry, we were really only dipping a toe in the water. Like many emergency managers and emergency management organizations, we weren’t initially sure how to engage in the field. We are not an organization with programmers and cybersecurity experts on staff. Yet, cybersecurity was growing in importance in the preparedness field, not least of all because of the physical effects and impacts a cyberattack could have on health infrastructure and patients.
The activation for WannaCry, as well as the sharp increase in cyber threats, has expedited our efforts to ‘get smart’ in the field. In doing so, we’ve been able to more clearly identify and carve out our role in the space. And it’s really not that different from the position we occupy in preparedness and response to natural disasters and disease outbreaks. Because, while cyberattacks have many attributes that separate them from more traditional threats to healthcare like hurricanes and snowstorms, information sharing and convening – especially across sectors – is essential. The National Infrastructure Advisory Council identified three sectors as key to the nation’s homeland security – telecommunications, financial services, and electricity. These sectors undergird the operations and ability of other sectors to be able to function, and I’d argue none more so than the healthcare and public health sector. We need to look no farther than last year’s hurricane season to be reminded of this.
Last month, I had the opportunity to participate in Yale’s Cyber Leadership Forum, an event that brought together experts from law, technology, and policy to discuss pressing cyber issues. It was during conversations there that I became mindful of another, if bleak, reason it’s important for us and other emergency management organizations to make a concerted effort to educate ourselves on cybersecurity and cyber threats in healthcare – the physical effects a cyberattack on healthcare can have. At the forum, there was much discussion about the attention (and resources) cybersecurity does and does not receive in different sectors. A common observation made was that most people do not see or feel the impacts of a cyberattack, so it is difficult to prioritize it in the same way as a natural disaster, for example. The potential to have attention-grabbing physical impacts is very high in the healthcare and public health sector. Accordingly, planning for the physical impacts a cyberattack can have is another area in which we are concentrating our efforts. This includes looking at the impacts a cyberattack can have on the supply chain, and how cascading effects from this could impact the provision of care and patients.
A speaker at Yale’s forum, former Deputy Director of the NSA Richard Ledgett, had an optimistic take on the challenges cyber threats and events pose, one that I think also captures the spirit of our approach. He described it as an undeniably complex but solvable problem. Solvable not in the sense that the issue will go away, but that it can be managed. And one of three keys to the solution, he said, is building resilience into our critical infrastructure. This is of course not a new idea, but an important one to think about in terms of how it relates to different hazards to healthcare and public health. Infrastructure resilience to natural disasters is distinct from resilience to the burden disease outbreaks place on infrastructure is distinct from building systems resilient to cyberattacks. But there is overlap among these, a kind of Venn diagram of resilience.
So, while I do not anticipate cybersecurity becoming a dominant part of Healthcare Ready’s portfolio, it is an important one. We will continue to use our position to support partners at the National Healthcare Information Sharing and Analysis Center (ISAC), the National Council of ISACs, and HHS’s Critical Infrastructure Protection Program in efforts to share information and foster collaboration. Advances in technology are saving lives and strengthening our healthcare system. At the same time, these advances are creating dependencies the preparedness field must track and mitigate, to the best of our ability. Information sharing and cross-sector coordination are essential parts of the planning and response to any emergency, whether it occurs on the ground or in cyberspace. As Healthcare Ready continues to ‘get smart’ on cybersecurity and cyber threats to healthcare and public health, we are anchoring our activities in these areas – facilitating information sharing and coordination, and promoting resilient (in every sense of the word) infrastructure.