Patient Safety and Cybersecurity: Seeing the Bigger Picture

Ask anyone in healthcare what the most valuable asset is to any healthcare organization and the answer will be the patient. Patients entrust us for their care. Whether it is helping patients get better, saving their lives, or sustaining their lives, patients expect and assume they will receive high-quality and safe care.

The world has significantly changed in the past decade and the healthcare sector has changed with it. Many healthcare organizations are now digital and digital tools enable patient safety and care. EHRs have replaced paper records. Picture archiving and communication systems have replaced film and light boxes. Computer-implemented or enabled hardware and software have replaced the mechanical systems of yesterday. In some instances, virtual visits have replaced in-person visits. And patients can transmit information about their health status and condition in real time to their clinicians via various software applications and devices.

As a result of our digital transformation, electronic data is the lifeblood of the healthcare organization. Electronic data, in the healthcare context, must be kept confidential, integrity must be preserved, and it must be made available on demand wherever and whenever it is needed. But if electronic data is not appropriately protected, clinical care and the business of healthcare can grind to a halt. This is why ransomware has been a significant concern for many healthcare organizations.

Thinking Beyond EHRs for Cybersecurity

Attacks on EHRs and other information systems are frequently what we talk about when we talk about cyberattacks. Yet, the attack surface of hospitals is so much more. Think of any connected device or application, including those used in building automation systems (e.g., HVACs, elevators, etc.). Software applications and embedded programs within firmware or other hardware may be vulnerable to attack. Computer processors may likewise be vulnerable.

Let’s use supply chain as an example. A supply chain attack on an HVAC vendor that is connected to a hospital network could adversely impact patient safety. First, the HVAC system may be targeted itself—an essential system that helps ensure patient safety, comfort and health. Second, attackers may use the HVAC system as an entry point to pivot to other areas or regions of interest within a hospital network.

All stakeholders, including government agencies and suppliers, need to help ensure that cybersecurity is a priority, shared Saif Abed, MD, founding partner of AbedGraham Healthcare Strategies..

Addressing Security Soft Spots

Within the healthcare sector and across other sectors, too, the protection of operational technology assets tends to lag behind the protection of information technology assets.

Operational technology is defined as hardware and software that detects or causes a change through the direct monitoring or control of devices, processes and events. Examples of operational technology assets include HVAC systems and elevators, as previously mentioned. Thus, building automation systems and other types of operational technology assets tend to be soft spots within an organization that may be vulnerable to attack.

We have seen the evolution of the Internet of Medical Things and a significant increase in the numbers of connected devices at organizations. In addition to operational technology assets, such connected devices include implantable and extracorporeal medical devices that are relied upon by patients for life-sustaining or life-saving functions. These devices used to be standalone electromechanical devices that did not have network connectivity.

But, now, with our digital health revolution, we have more tools at our disposal to use and maintain such devices. Yet, for every opportunity, there is also a risk that these devices and tools may be misused for malevolent purposes. As stated by the Healthcare Industry Cybersecurity Taskforce, “Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals, and facilities have to work to manage them to protect patient safety.”

The risk to patient harm is real. For this reason, we need to have all hands on deck when it comes to patient safety and cybersecurity. We need to understand the benefits and risks, as well as how to mitigate adverse events that may occur. After all, cybersecurity is the lifeline for patient safety.