The recent hearing held by the House Committee on Energy and Commerce on cybersecurity in healthcare raised serious safety implications of cyber-attacks and the critical need to strengthen public-private partnerships to tackle this evolving healthcare challenge.
While cybersecurity discussions on Capitol Hill have become more common, this one cut right to the core issue. Chairman Tim Murphy’s opening remarks noted that, “Strong cybersecurity practices are essential in this industry. This isn’t just about protecting patient data or information. This is about patient safety.”
Chairman Murphy’s remarks set the tone for the discussion and further validates that technology, in particular cybersecurity, plays a vital role in patient care — elevating it to an issue of public safety and perhaps even a social issue. And, policymakers are experienced and successful at working with agencies to address pressing public safety issues.
By examining cybersecurity under the context of public safety, government leaders will gain the support needed to drive cybersecurity progress forward to address concerns like patient safety and the broader security needs of the fully digital citizen.
Three areas of cybersecurity protection
Healthcare and cybersecurity conversations over the past 18 months have centered on the ransomware attacks carried out against hospitals across the country, including systems within the beltway. Provider discussions have focused on what should be done to combat attacks and keep private information secure. However, when it comes to policy and legislative debates, it helps to understand how data security issues are typically classified. The three categories are:
When two parties are communicating information and a third party is unable to view it because it’s protected, for instance by encryption.
When users and customers are able to access a system or service e.g. an online store or multimedia site. During a ransomware incident, data becomes unavailable to the parties that need access to it. Or during a Distributed Denial of Service (DDoS) attack like the one in late 2016 that affected mainstream sites like Twitter and Netflix, the websites become unavailable to consumers.
Imagine that your doctor prescribes you take a medication three times a day. But someone changes the instructions to, ‘take once daily.’ Integrity of data means that you view or receive the data with the same values as it was produced — unaltered and not tampered with. If an attacker can alter the data during a cyber-attack, it can negatively impact or disrupt an organization’s operations.
Confidentiality and availability are the most commonly discussed across cybersecurity practices; however, integrity is key to protecting patient safety in today’s age of digital healthcare.
Lapses in integrity put our safety at risk
Threats to data and system integrity within healthcare manifest in multiple ways. Changing of health records, incorrect medical prescriptions and hacking of medical devices to produce incorrect readings have serious repercussions.
For example, last year Johnson & Johnson warned patients that a security vulnerability in its insulin pumps gave hackers the ability to overdose diabetic patients with insulin. No one has been harmed because of this vulnerability. And while an extreme case, it exemplifies the real-world effect of vulnerabilities in healthcare, as well as the broader security and safety issues in a world driven by the Internet of Things (IoT).
Threats like these should cause citizens and lawmakers to treat data and system integrity extremely seriously – and the recent hearing was a step in the right direction to listening to these concerns.
What can be done to improve integrity, confidentiality and availability?
As Chairman Murphy mentioned, information sharing between healthcare providers, device-makers and the federal government is an important part of improving the cybersecurity posture across the healthcare industry. Information sharing groups like the National Health Information Sharing and Analysis Center (NH-ISC) allow providers to discuss common vulnerabilities and threats the industry faces, and how to solve them.
Along with information sharing, providers and device manufacturers need to arm themselves with the right cyber protections and solutions to ensure there is confidentially, availability and integrity for data and systems administered by them. Providers must be more aware of the broader cyberthreat environment and better understand what to look for to make proactive defense easier and timely. They need to understand the latest attack methods that are being used compromise data integrity. And, in turn, policymakers should be thinking about these same things as they develop new policy and change cybersecurity regulatory requirements.
Looking to the future
The overall tone from the hearing was a refreshing break from the focus many cybersecurity hearings take, criticizing organizations and seeking to assign blame. The conversation was positive and informative, and elevated an aspect of cybersecurity within healthcare — data integrity — that truly puts patients at risk and deserves as much attention as ensuring patient confidentiality.
This was a constructive discussion on this issue, recognizing the need to strengthen industry cybersecurity practices and its connection to public safety. Looking ahead, government leaders should continue examining how cybersecurity affects public safety and facilitate more discussions with leaders across industries, as well as bring in private sector technology experts to share their information and insights.
As Chairman Murphy put it, “Cybersecurity is a collective responsibility and that is why it is imperative that this sector find a way to come together to find a sustainable path forward.”
Monzy Merza serves as the Head of Cybersecurity research at Splunk Inc. He has over 15 years of research experience. Monzy has led teams at government and commercial organizations. His experience includes threat analysis, adversary modeling and security product development.