By Vrushab Gowda
Our health information infrastructure is highly susceptible to cyber attacks. At the time of writing, the Department of Health and Human Services (HHS) is actively investigating over 700 major breaches over the past 24 months alone.
It is incumbent upon our institutions to proactively guard against these threats, with our federal government leading the charge.
Current Trends in Digital Health
Two ongoing phenomena underscore the importance of shoring up our health information infrastructure.
The response to COVID-19 has exposed the nexus between public health and issues of strategic concern. It goes without saying that containing the pandemic would avert premature mortality among citizens, alleviate strain on healthcare infrastructure, restore economic productivity, and ensure our military’s state of readiness.
Secondly, the “digital revolution” in healthcare has seen a range of functions altogether shifted online or integrated within networked systems. Few modalities have been left untouched; telemedicine platforms, cloud-based electronic health records (EHR), mobile health applications, remote patient monitoring systems, and a slew of internet of things (IoT)-linked medical devices abound.
In keeping with these trends, malign actors increasingly exploit deficiencies in our sprawling digital health infrastructure. They may be driven by a variety of motives. Individual hackers may seek financial gain or to compromise targets’ privacy by “doxing,” while, state-sponsored agents could wage a systematic campaign to delegitimize institutions, sow disinformation, or cause disruption in its own right. Unlike credit card numbers, health information cannot simply be canceled. Harms incurred may be permanent leaving victims with scant recourse.
A Broad Attack Surface
When quantified, the scope of damage is astronomical. The healthcare industry sustains higher financial losses due to breach than any other industry, with an average of over $7 million per attack in 2020, representing a 10% increase on 2019 figures. The sector as a whole is projected to deploy $125 billion in countermeasures over the next five years, yet this may not be enough. Ramifications for patient care are real and tangible; many community healthcare systems are moreover unable to afford such countermeasures and, in some cases, have been forced to turn away patients.
Why healthcare incurs such disproportionate losses is a matter of debate. A relative underinvestment in cyberdefenses is partly to blame. Some analysts have related the recent uptick in breaches to intensifying merger and acquisition activity, with its inevitable data sharing requirements. Other reasons may be structural; for all their clinical novelty, many IoT medical devices lack sophisticated cybersecurity safeguards, and some applications make difficult competitive tradeoffs between patient accessibility and security.
Public and Private Paths Forward
Stakeholders at every level of the digital health space would be well-advised to employ assertive risk management measures. Product developers should face more rigorous security standards in advance of approval and disclose their built-in safeguards when advertising. For their part, healthcare systems can (1) promote software and password hygiene, encourage regular updates, phase out legacy systems as soon as new technologies are obtained, and conduct routine security audits; (2) rely exclusively on encrypted systems for communication with multi-factor authentication; (3) establish network segmentation architecture for IoT medical devices, to effectively contain breaches, and; (4) maintain an incident response protocol, form a response team, conduct active surveillance for potential threats, and integrate all of the aforementioned processes with a security information and event platform.
There is a key coordinating function to be played by the federal government, largely based on its superior resources and data-gathering abilities and the interstate nature of digital health concerns. The public would stand to benefit from its substantial investigative, mobilization, and funding capacities to establish industry-wide educational initiatives and a dedicated digital health security apparatus. In particular, closer interagency cooperation between Department of Homeland Security (DHS), which is responsible for maintaining the national cybersecurity framework, and HHS is essential.
At present, the Cybersecurity and Infrastructure Security Agency (CISA), a DHS body charged with protecting critical resources from cyberattack, lacks a healthcare-specific office. Its most recent publicly available issue brief dates to 2015, and only outlines higher-level coordinating frameworks between DHS and HHS. In the same vein, DHS Office of the Inspector General (OIG) has already conducted an internal audit of its own health-related cybersecurity vulnerabilities; HHS should follow suit.
A more permanent standing entity would go a long way towards securing our national healthcare infrastructure, conducting similar threat analyses, and marshaling information sharing across the federal government. Such an organization may be housed either within DHS Office of Health Affairs or HHS Office of the Assistant Secretary for Preparedness and Response, both well-equipped to implement a comprehensive national response. 21st century cybersecurity threats demand a 21st century organization to address them.