By Justin Snair, Senior Program Analyst for Critical Infrastructure and Environmental Health Security at NACCHO and Matthew DeLeon, Program Analyst for Public Health Informatics at NACCHO
The constant connection to the Internet has enabled us to stay connected to friends and family, coordinate within our communities, and find innovative solutions for our most pressing challenges. While this increased reliance on information technology has bettered our day-to-day lives, it has also increased the risk of theft, fraud, and a variety of other abuses. All organizations and industries are susceptible to a cyber-attack, including the healthcare and public heath sectors. To engage and educate public and private sector partners and to raise awareness about cyber security and increasing the resiliency of the nation in the event of a cyber-incident, events and initiatives have been planned throughout the month of October, which marks National Cyber Security Awareness Month. As data breaches and cyber-attacks become more costly, it is essential that all organizations, especially local health departments, place a high priority on defending their cyber infrastructure from cyber-attack.
The healthcare industry and public health patient information has often been viewed as a “soft target” for cyber-attacks. The Office for Civil Rights, which enforces privacy and security regulations for the U.S. Department of Health and Human Services, reported in February 2014 that 62 of more than 800 breaches of protected health information involved cyber-attacks. Evidence suggests that many organizations are not sophisticated enough to detect data breaches, contributing to the low level of health-related cyber-attacks that are reported. The very nature of most healthcare and public health organizations makes them susceptible to cyber-attacks for three reasons:
- Security for health IT systems is not prioritized;
- The high frequency of data exchange requires many open connections to a healthcare information system; and
- The healthcare and public health workforce is largely untrained in cyber security practices.
The value of health data provides a strong incentive to hackers who can illegally access patient information. New findings have shown that patient medical data on the black market can be worth almost ten times more than credit card information. Birth dates, billing information, and diagnosis codes, used by both healthcare providers and public health agencies, are the most valuable to data hackers. This is because they allow hackers to create fake IDs to purchase medical equipment, or file false claims with insurers by combining a patient number with a false provider number.
This combination of factors makes health data breaches extremely costly and very large in scale. On August 18, Community Health Systems, one of the largest U.S. hospital groups, reported that they were the victim of a cyber-attack from China, which resulted in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. This attack is the largest of its type involving patient information since the U.S. Department of Health and Human Services started tracking such breaches in 2009.
Public health organizations have also been the victim of cyber-attacks in recent history. On May 22, the Montana Department of Public Health and Human Services announced that a cyber-attack was detected on the health department’s server, allowing a hacker to illegally access the protected health information of 1.3 million individuals. On April 9, 2012, the Utah Department of Health announced that a cyber-attack occurred in which 780,000 individuals had their protected health information breached. In addition to their health records, it is estimated that 280,000 of these individuals had their social security numbers illegally accessed as well. Cyber-attacks carry a large cost: patient trust can be irreparably damaged, and the fines associated with a data breach can discourage the robust use of health information technology.
Cyber-attacks on healthcare and public health facilities can come in many forms, such as theft of patient records and disruptions from both sophisticated or uncoordinated attacks. Examples include unauthorized access of networked medical devices and malignant emails that may cause utility and power grid failures and other cascading disruptions across a facility, forcing hospitals to divert patients or rely on paper based systems. Power and water utility outages at hospitals can force facilities to rely upon generator power and backup water supplies or go off line entirely. Power transmission and generation, heating ventilation and air conditioning, water, and patient oxygen supply in facilities are often controlled by Supervisory Control and Data Acquisition systems—networked computer control systems that can monitor and control multiple components in and between facilities. A cyber-attack could also result in the physical destruction of assets, such as backup generators. Disruption of assets and computer control systems automatically regulating facility environments and power systems would have devastating consequences for patient care, healthcare and public health facilities, and local communities.
- Losses of integrity: Patients and practitioners may lose confidence in a healthcare providers’ ability to maintain patient privacy, due to perceptions of inadequate security. Legitimate information provided by governmental or expert sources transmitted via media and social media could be corrupted or distorted.
- Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care. Cyber-attacks could also disrupt emergency telephone lines and EMS systems and slow or disable emergency medical response systems.
- Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber-crime, including theft or loss of patient and private information. Another consideration is the connection between patient data and personal medical devices because those devices carry security and privacy risks as they become increasingly networked and wireless.
- Physical destruction of systems: Cyber-attacks could damage physical systems used to perform functions–such as regulate utilities–critical to healthcare and public health and could shut down or slow supply chains, impair patient care, and impede emergency response, potentially leading to significant loss of life. Medical and public health research institutions and laboratories may be vulnerable to power outages and computer breaches due to cyber threats. Valuable research and disruption of systems used for the environmental controls for research animals, cadavers, infectious agents, and specimens could result from a cyber-attack. The loss of electricity or water during heat waves or cold spells will require a response from public health to prevent loss of life. Cyber-attacks may also result in the failures of industrial safety systems, such as those used in chemical manufacturing, and could cause widespread illness and possibly death.
Public trust depends upon the sustainability, resilience, integrity, and availability of our national healthcare and public health critical infrastructure. Just as with many hazards public health must consider, preparing for, preventing, mitigating, and responding to the threat of cyber-attack to healthcare and public health facilitates requires a holistic approach. Local health departments can successfully plan by coordinating, communicating, and cooperating with federal, state, local, tribal, and territorial governments, as well as healthcare facilities, medical device and equipment manufacturers, telecommunications and utilities providers, and medical supply chain operators.
The following opportunities provide ways to mark National Cyber Security Awareness Month 2014 at your local health department:
- Get information about how your local health department can take action during National Cyber Security Awareness Month;
- Find or register a local event on the official calendar;
- Get involved with each awareness week as listed in this infographic;
- Educate elementary, middle, and high school students about Internet safety and security; and
- Post cyber security tips, news, and resources highlighting National Cyber Security Awareness Month on social media sites throughout the month of October.
Want to continue the conversation about cyber security? The 2015 Preparedness Summit, April 14-17 in Atlanta, will explore the theme, “Global Health Security: Preparing a Nation for Emerging Threats.” Sessions will focus on how, in an increasingly interconnected world, public health threats can emerge on the other side of the globe and arrive within a day on the doorstep of our health departments, healthcare providers, schools, and more. Global health security includes threats to healthcare and public health from cyber-attack. If you would like to learn more about cyber security threats, save your spot and register now for the Summit.
- Anderson, H. (2012, April 9). Utah health breach affects 780,000. Data Security Today. Retrieved Aug. 9, 2014, from http://www.databreachtoday.com/utah-health-breach-affects-780000-a-4667.
- Reed, T. (2014, Aug. 21). Three reasons why data is such a big target in the health care sector – and what health practices can do about it. Washington Business Journal. Retrieved Oct. 8, 2014, from http://www.bizjournals.com/washington/blog/2014/08/3-reasons-why-health-care-data-is-such-a-security.html?page=all.
- Humer, C. and Finkle, J. (2014, Sept. 24). Your medical record is worth more to hackers than your credit card. Reuters. Retrieved Oct. 8, 2014, from http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924?feedType=RSS&feedName=healthNews.
- Roman, J. (2014, June 25). Montana breach victim tally: 1.3 Million. Data Breach Today. Retrieved Aug 9., 2014, from http://www.databreachtoday.com/montana-breach-victim-tally-13-million-a-6992.
- McGee, M. (2014, Feb. 6). Hackers hit health system’s server. Data Breach Today. Retrieved Aug 9., 2014, from http://www.databreachtoday.com/hackers-hit-health-systems-server-a-6481.
- Synthesized from Barnett et al: Cyber Security Threats to Public Health. Institute of Medicine (2008) as adapted from Institute of Medicine, The Future of the Public’s Health in the 21st Century (2002) and U.S. Army Training and Doctrine Command, 2005.
- Barnett, D. J., Sell, T., Lord, R.K., Terbush, J., and Burke, T. Cyber security threats to public health. World Medical & Health Policy 1: (2013): 37-46. Retrieved Aug. 9, 2014, from http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract.