On Monday, August 18th, Community Health Systems, one of the largest U.S. hospital groups, reported that they were the victim of a cyber-attack from China, which resulted in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. This attack is the largest of its type involving patient information since the U.S. Department of Health and Human Services started tracking such breaches in 2009.
Healthcare and public health patient information has often been viewed as a “soft target” for cyber-attacks. The Office for Civil Rights (OCR), which enforces privacy and security regulations for the Department of Health and Human Services, reported in February of this year that only 62 of more than 800 breaches of protected health information (P.H.I) involved cyber-attacks. However, evidence suggests that many organizations are not mature enough to detect data breaches, contributing to the low level of health related cyber-attacks. I
Public health organizations have been the victim of cyber-attacks in recent history. On May 22nd, 2014, the Montana Department of Public Health and Human services announced that a cyber-attack was detected on the health department’s server, allowing a hacker to illegally access the P.H.I. of 1.3 million individuals. ii On April 9th, 2012, the Utah Department of Health announced that a cyber-attack occurred in which 780,000 individuals had their P.H.I. breached. In addition to their health records, it is estimated that 280,000 of these individuals had their social security numbers illegally accessed as well. iii Cyber-attacks carry a large cost. Patient trust can be irreparably damaged, and the fines associated with a data breach can discourage the robust use of health information technology.
Cyber-attacks on healthcare and public health facilities can come in many forms. They can include not only theft of patient records, but also disruptions from both sophisticated or uncoordinated attacks, such as unauthorized access of networked medical devices or malignant emails that may cause utility and power grid failures and other cascading disruptions across a facility, forcing hospitals to divert patients or rely on paper based systems. Power and water utility outages at hospitals can force facilities to rely upon generator power and backup water supplies or go off line entirely. Power transmission and generation, heating ventilation and air conditioning, water, and patient oxygen supply in facilities are often controlled by Supervisory Control and Data Acquisition (SCADA) systems—networked computer control systems that can monitor and control multiple components in and between facilities. A cyber-attack could also result in the physical destruction of assets, such as backup generators. Disruption of assets and computer control systems automatically regulating facility environments and power systems would have devastating consequences for patient care, healthcare and public health facilities, and local communities.
The impact of cyber-attacks on healthcare and public health facilities can be organized into four categories:iv,v
- Losses of integrity: Patients and practitioners may lose confidence in a healthcare providers ability to maintain patient privacy, due to perceptions of inadequate security. Legitimate information provided by government or expert sources transmitted via media and social media could be corrupted or distorted.
- Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care. Cyber-attacks could also disrupt emergency telephone lines and EMS systems and slow or disable emergency medical response systems. Production of medical equipment or drugs through manufacturing stoppages caused by cyber-attacks.
- Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber-crime, including theft or loss of patient and private information. Another consideration is the connection between patient data and personal medical devices. Those devices carry security and privacy risks as they become increasingly networked and wireless.
- Physical destruction of systems: Cyber-attacks could damage physical systems used to perform functions, such as regulate utilities, critical to healthcare and public health and could shut down or slow supply chains, impair patient care, and impede emergency response, potentially leading to significant loss of life. Medical and public health research institutions and laboratories may be vulnerable to power outages and computer breaches due to cyber threats. Valuable research and disruption of systems used for the environmental controls for research animals, cadavers, infectious agents, and specimens could result from a cyber-attack. The loss of electricity or water during heat waves or cold spells will require response from public health to prevent loss of life. Cyber-attacks may also result in the failures of industrial safety systems, such as those used in chemical manufacturing, and could cause widespread illness and possibly death.
Public trust depends upon the sustainability, resilience, integrity, and availability of our national healthcare and public health critical infrastructure. Just as with many hazards public health must consider, preparing for, preventing, mitigating, and responding to the threat of cyber-attack to healthcare and public health facilitates requires a holistic approach. Successful planning involves coordination, communication, and cooperation among federal, state, local, tribal, and territorial governments, as well as healthcare facilities, medical device and equipment manufacturers, telecommunications and utilities providers, and medical supply chain operators. This coordination happens through healthcare and public health leadership at the state and local level.
October is National Cyber Security Awareness Month (NCSAM), which is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cyber-security and increasing the resiliency of the nation in the event of a cyber-incident. To get involved in National Cyber Security Awareness Month 2014:
- Stay tuned for more information about each week, including the 2014 Kick-Off.
- Find or register a local event on the official calendar.
- Get information on how your government, law enforcement, business, school, or organization can take action during National Cyber Security Awareness Month.
- Teach elementary, middle, and high school students about Internet safety and security.
- Post cyber-security tips, news, and resources highlighting NCSAM on social media sites during National Cyber Security Awareness Month.
The 2015 Preparedness Summit theme focuses on Global Health Security preparedness and how in an increasingly interconnected world, public health threats can emerge on the other side of the globe and arrive within a day on the doorstep of our health departments, healthcare providers, schools, and more. Global health security includes threats to healthcare and public health from cyber-attack. If you would like to learn more about cyber-security threats, consider attending the Summit. If you have a story or lessons to share, submit an presentation abstract for the Summit or reach out to Justin Snair at firstname.lastname@example.org.
By Justin Snair, Senior Program Analyst for Critical Infrastructure and Environmental Health Security at NACCHO and Matthew DeLeon, Program Analyst for Public Health Informatics at NACCHO.
[i] Anderson, Howard. “Utah Health Breach Affects 780,000.” HealthcareInfoSecurity. Information Security Media Group, Corp ., 9 Apr. 2012. Web. 9 Aug 2014
[ii] Roman, Jeffery. “Montana Breach Victim Tally: 1.3 Million.” HealthcareInforSecurity. Information Security Media Group, Corp ., 25 Jun. 2014. Web. 9 Aug 2014
[iii] McGee, Marianne. “Hackers Hit Health System’s Server.” HealthcareInforSecurity. Information Security Media Group, Corp ., 6 Feb. 2014. Web. 9 Aug 2014
[iv] Synthesized from Barnett et al: Cyber Security Threats to Public Health. Institute of Medicine (2008) as adapted from Institute of Medicine, The Future of the Public’s Health in the 21st Century (2002) and U.S. Army Training and Doctrine Command, 2005
[v] Barnett, Daniel J., Tara Sell, Robert K Lord, James Terbush, and Thomas Burke. “Cyber Security Threats to Public Health.” World Medical & Health Policy. no. 1 (2013): 37-46. http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract (accessed August 9, 2013).