How can compromised healthcare IT systems lead to life-threatening consequences?
Healthcare CEOs know all about patient safety – at least that’s what they’ll tell you. Joint Commission and others have been all over the subject for years. Ask them what 'patient safety' really means and most will probably start talking about how healthcare organizations protect their patients from errors, injuries, accidents, and infections. It’s a big issue.
According to the Journal of Patient Safety, as many as 440,000 people die every year from preventable errors in hospitals alone. However, only a few healthcare CEOs will include cybersecurity in their list of top risks – but that is quickly beginning to change.
Today’s US healthcare payers, providers, and pharmaceuticals are under attack. These attacks range from state-sponsored theft of healthcare IP, clinical formulations, procedures and treatment regimens, to the PII of patients, including 78.8 million customers of Anthem Health, as well as the commercial theft and sale of PHI and PII by cyber-criminal gangs intent on the monetization of stolen data.
Operational & Reputational Risk
What many don’t realize is that cyber risk in a healthcare setting is not just about attacks against the confidentiality of information, but also the availability and integrity of health IT systems and data. Healthcare is a prime target for extortion and has been disproportionately impacted by bouts of ransomware targeting health IT systems and therefore their ability to facilitate care to patients.
Just look at the UK NHS when much of it succumbed to the global WannaCry ransomware attack in 2017. Nearly two-thirds of NHS Hospital Trusts were impacted and had to cancel appointments and divert all but the most critical of emergency patients elsewhere. Had the NHS understood the true magnitude of its cybersecurity risks and acted accordingly to patch and replace out-of-date systems, then the negative impact to the lives of many of its patients could have been avoided.
I’m sorry, the doctor can’t see you at the moment – our IT systems are down!
So what happens to patient care when critical health IT systems aren’t available to diagnose or treat patients? Their surgeries get cancelled, or they get put in an ambulance to an un-impacted hospital 40 or 50 miles away. That’s where the patient safety question comes into play.
What is the impact to a sick patient when they have to be transported a great distance to a functional hospital? What if that patient needs a flight to the nearest unaffected and available facility and expires en-route? Healthcare providers have a duty to care for patient safety, and that duty extends to the availability of health IT systems needed to treat patients.
What is the level of culpability for healthcare providers when they fail to properly evaluate and protect against availability risks to their IT systems? Should hospitals be held accountable in the same way that we hold retailers accountable when they fail to protect their credit card payment systems?
Modern healthcare is highly dependent upon the clinical IT systems they use to diagnose and treat patients. What happens when a Pyxis cabinet won’t open to dispense critical medications? What happens when a pharmaceutical robot dispenses the wrong medications for a patient and the mistake is not noticed by overworked staff? Our reliance upon IT and healthcare IoT systems is perhaps greater than most physicians would willingly admit.
"Primum non nocere" (First, do no harm)
Making cyber risk a critical part of assessing enterprise risk across the healthcare industry should be a non-negotiable necessity. Given the potential risks to patient safety, cyber risk management must be mandatory alongside evaluating and assessing all assets in the clinical business. The sooner hospital boards wake up to this reality, the better – and the sooner operational and reputational risks that directly impact patient safety can be minimized.
See experts discuss Cybersecurity Risks and Patient Safety more in depth.