By Justin Snair, Senior Program Analyst and David G. Henry, former Senior Program Analyst, Public Health Preparedness, NACCHO
October is National Cyber Security Awareness Month. This post is adapted from an article on cyber security that originally ran in The CIP Report, a newsletter from the Center for Infrastructure Protection and Homeland Security at George Mason University.
In December 2011, a hospital in Georgia was forced to divert all non-emergency admissions to other medical centers, after a malware infection downed the institution’s IT network and required staff to use paper records. The attack affected computer connectivity, as hospital computers could not communicate with each other. The hospital was forced to use a runner system, where papers were shuttled by personnel from station to station.
A cyber attack on a healthcare facility that disrupts its capacity to manage patients can be devastating to a local community’s ability to manage the routine care of its population, as well as patient surge during catastrophic events. The impact of cyber attacks on healthcare facilities can be organized into three categories: 
- Losses of confidentiality: The exposure of personal data can trigger ripple effects for victims of cyber crime, including theft or loss of patient information. Another consideration is the connection between patient data and personal medical devices. Those devices carry security and privacy risks as they become increasingly networked and wireless.
- Losses of integrity: Patients and practitioners may lose confidence in a healthcare provider’s ability to maintain patient privacy, due to perceptions of inadequate security.
- Losses of availability: Cyber threats to data and operations systems can take a facility off-line, leading to disruption of care due to software outages. In addition, the loss of access to health records may limit the provider’s ability to provide appropriate care, shelter, and medicine in times of need. Lastly, damage to infrastructure—such as insurance and payment or utility systems—could also prevent people from accessing necessary medical care.
Healthcare infrastructure is already vulnerable, as our healthcare delivery system routinely operates at or near 100 percent of capacity on a daily basis. Compounding the stress on the system is the increase in the aging U.S. population and rise in hospital admissions due to the impacts of hospital closures, the use of emergency departments as a primary point of care for the uninsured, and increased length of stay due to rising chronic illness rates in recent years. In addition, close collaboration among public, private, and non-governmental stakeholders to assure safe healthcare infrastructure is a challenge.
Private and non-profit healthcare delivery systems do not carry the burden of critical infrastructure protection alone. The public health sector—state and local health departments—are leaders within the healthcare sector to prepare for, respond to, and recover from man-made and natural disasters. For local public health, healthcare is an equal partner in keeping the nation’s health services secure for all communities. Public trust depends upon the sustainability and resilience of our national healthcare and public health critical infrastructure.
Current policy falls short of protecting the health sector from cyber threats. To foster the improvements of the healthcare delivery system, Federal doctrine, such as the National Health Security Strategy (NHSS), the Center for Disease Control and Prevention’s Public Health Preparedness Capabilities: National Standards for State and Local Planning (PHEP), and U.S. Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness and Response’s Healthcare Capabilities: National Guidance for Healthcare System Preparedness (HPP) has promoted the adoption of technology in healthcare facilities. However, as healthcare providers begin to use e-Health, information technology, and other web-based tools with inadequate security systems or enforcement, the sector opens itself to exposure to cyber threats. According to the Third Annual Benchmark Study on Patient Privacy & Data Security (2012), 94 percent of healthcare organizations have had at least one data breach in the past two years. Forty-five percent report that they have had more than five incidents.
From the executive level, President Obama issued Presidential Policy Directive (PPD)– 21 and Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity, emphasizing the need for holistic thinking about critical infrastructure security and risk management. Those directives and executive orders will drive action towards critical infrastructure systems—including healthcare—to improve their network security. Additionally, those policies will help promote and incentivize the adoption of cyber security practices, increase cyber threat information sharing, evaluate and mature public-private partnerships, and understand the cascading consequences of infrastructure failures. With the release of PPD-21 and EO 13636 and the subsequent operationalization of these policies, Federal agencies responsible for NHSS, PHEP, and HPP should prioritize improving security of healthcare information systems, strengthening of public-private partnerships vital to healthcare cyber security and resiliency, and adopting standards and frameworks for information sharing and security within the revisions of guidance doctrine.
Moving forward, public health and healthcare partners need not wait for revisions of federal doctrine or full implementation of PPD-21 and EO 13636 to begin improving the security of healthcare facilities. Communities can improve cyber security by opening a dialogue with the key local public-private stakeholders to improve partnerships and information sharing. Healthcare facilities can coordinate across sectors to engage technology experts to further improve system security and ensure the protection of their data and systems. Lastly, the healthcare sector can raise employee awareness of cyber threat by implementing digital hygiene training – meant to create a common understanding of how to keep computer systems safe. By making those first considerations to improve health information sharing and cyber security, healthcare sector operators can begin to reduce the risk and exposure that comes with the adoption of new technologies to improve their service delivery, patient care and resiliency of their communities.
- Elliot, R. (2011, December 9). Hospital put under “Total Diversion” after computer virus. WSBTV. Retrieved from: http://www.wsbtv.com/news/news/local/hospital-diverting-trauma-cases-due-computer-probl/nFyYY/
- US Army. (2005). Cyber Operations Cyber Operations and Cyber Terrorism. US Army Training and Doctrine Command DCSINT Handbook 1.02. Retrieved from: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA439217
- Barnett, D.J., Sell, T., Lord, R.K., Terbush, J., & Burke, T. (2013). Cyber Security Threats to Public Health. World Medical & Health Policy. no. 1 (2013): 37-46. Retrieved from: http://onlinelibrary.wiley.com/doi/10.1002/wmh3.19/abstract
- Smith, W. M. (2009). Institute of Medicine Forum on Medical and Public Health Preparedness for Catastrophic Events. Financing Surge Capacity and Preparedness. Retrieved from: http://www.iom.edu/~/media/Files/Activity%20Files/PublicHealth/MedPrep/Jun-10-11-2009-Commissioned%20Papers/Jun-10-11-2009-Commissioned-Paper-Financing-Surge-Capacity-and-Preparedness.pdf
- Ponemon Institute. (2012). Third Annual Benchmark Study on Patient Privacy & Data Security. Retrieved from: http://lpa.idexpertscorp.com/acton/attachment/6200/f-0033/1/-/-/-/-/file.pdf