The impact on health of cyber attacks

Even the most unlikely organizations can find themselves compromised due to a cyber attack. Consider the recent intrusion into Blackbaud, a third-party technology provider which specializes in maintaining fundraising databases for charitable organizations and other nonprofit institutions. This data breach affected a wide range of American nonprofits, from the Vermont Food Bank to the George W. Bush Presidential Center, but most critically, a number of nonprofit healthcare institutions, including Maine-based Northern Light Health Foundation, Virginia-based Inova Health Systems, and Washington State’s MultiCare Foundation.

Blackbaud has come under fire for its handling of the breach, which initially took place on February 7, 2020, and remained undetected until May 14, although its affected clients were not informed until July 16. Although affected users were initially told that neither financial account nor government identification information had been taken in the breach, these statements were walked back during the week of September 27, and in its latest 8-K filing, on September 29, Blackbaud admitted that for some affected customers, fields for unencrypted bank account information, Social Security numbers, usernames, and passwords may have been accessed.

The cyber threat to the healthcare nonprofit sector is comparable to similar threats against financial institutions, utilities and their infrastructure, and the defense industrial base. No one in the age of COVID-19 can deny that healthcare is systemically important to the wellbeing of the people of the United States. Many hospitals and health providers did not realize that their donor management software had migrated to cloud-based services/backups, and a large number of them had never re-assessed their ongoing third party risk exposure or use of Blackbaud services as a vendor.  

Hospitals have increasingly come under cyber attack in recent years. It is not difficult to understand an attacker’s logic in targeting hospitals and other healthcare providers, which necessarily collect personally identifiable information from their patients, in addition to financial information as intermediaries between physicians, payers, government agencies, and other providers of healthcare services. 

A modern hospital contains numerous critical systems that require information and operational technology systems, which can be deliberately interrupted by a successful cyber attack. These structures and conditions make hospitals inviting sites for attempted intrusions, data breaches, and ransomware attacks. Hospitals aren’t just concerned about confidentiality - disruption of services from impacts to availability or risks to patient care stemming from data integrity failures can be immensely impactful.

The September 27 attack on Universal Health Services provides an even more recent example. UHS, whose network was compromised by what appears to be a version of Ryuk ransomware across approximately 250 UHS facilities in the U.S., should underscore the importance of improving defender performance. Phone systems went offline, laboratory and radiology records became unavailable, and ambulances and emergency services were forcefully redirected as the full extent of the cyber attack was determined. 

The affected hospitals have currently returned to pen and paper record-keeping as their IT systems are being evaluated and remediated (a task which is still in progress); however, even basic healthcare functions such as scheduling medication in these hospitals have been affected by this ransomware attack.

While ransomware has undoubtedly been a contributor to negative health outcomes for patients, there is sudden renewed debate over what situations and events might be deemed the proximate cause of harm. A recent attempt attributing a death to such an event was reported in Germany in September 2020, a critically ill woman requiring transport to a different hospital after University Hospital Düsseldorf’s servers were frozen as a result of a ransomware attack, delaying her emergency treatment. Immediate coverage overreached regarding direct culpability.

Regardless of whether such an event is legally culpable or not, there is evidence that medical performance degrades following at least some types of cyber attacks. In late 2019, researchers at Vanderbilt University and the University of Central Florida published an article which found that acute-care hospitals which experienced a data breach had a small but statistically significant increase in their 30-day acute myocardial infarction mortality rates in the three years following the breach. 

They hypothesized that this increase was associated with the lengthier time from door to electrocardiogram for patients with suspected cardiac issues, on average a difference of 2.7 minutes. Current medical guidelines recommend that an electrocardiogram be acquired and interpreted within 10 minutes of arrival to minimize mortality.

From a cybersecurity perspective, however, the most troubling part of this study was the link made by the authors between the delay and stronger security measures put into place as part of the breach remediation process. Presumably with the best of intentions, remediation actions associated with a data breach had been transferred to an increased statistical risk in mortality among patients who had suffered an acute heart attack. This clearly is not an acceptable form of risk management for cybersecurity practitioners. 

This is part of why a proven technique for risk management in hospitals –the Hospital Quality Assurance Committee or HQAC – needs to have a co-equal Hospital Information and Operational technology Quality Assurance Committee or HIOQAC.  

Such a body is required to ensure that the generally poor state of hospitals and other providers information security is included in broader organizational governance and that improvement and remediation efforts, where required, are adequately integrated with established patient care and quality control considerations. Just like patient care, security is a continuous process of improvement and not a one-time transformation effort. 

Especially in sectors which focus on the broader social good, such as charities, hospitals, and healthcare institutions, a cybersecurity solution must not compromise the essential function of that organization to the detriment of its clients. In fact, we should borrow a page from their book, and follow the precept of the ancient physician, Hippocrates: first, do no harm.