Cyber Attacks in Healthcare
Healthcare cyber security and cyber attacks against healthcare organizations will be one of the most potent and expensive areas to deal with in 2021.
The medical industry in the United States is estimated to expend $134 billion on cybersecurity from 2021-26, with 82% of healthcare executives stating that existing finances have not been properly earmarked for this purpose, with most funds commonly disbursed after cyberattacks.2
Nearly three-quarters of hospital administrations and outpatient facilities state that computer networks and servers are ill-equipped to take action against cyber attacks.2 These outbreaks in healthcare organizations are expected to triple in 2021, coupled with 80% of these groups have not conducted a cybersecurity exercise, in spite of growing instances of hacker infiltrations each year.2
DISCLAIMER: Dr. Dalawari shares interesting and relevant medical-legal news in the press. He also shares case verdicts & settlements from the public record. He has no professional or personal relationship to the cases.
cyber security, physician liability, ransomware, malware, hacker, medical malpractice, adverse event, CIED, cardiac implantable electronic device
At a glance
Intro: This article discusses healthcare cyber security, ransomware in healthcare, cardiac implantable electronic devices, patient perspectives on cybersecurity threats for wearable & implantable medical devices.
Cybersecurity Threats in Medicine
Ransomware & Healthcare
Cardiac Implantable Electronic Devices
Cyberattacks on Medical Devices
Patient Perspective on Cybersecurity Threats
Cybersecurity Threats Conclusions
Conclusion: Patients can be impacted by cyberattacks in the functionality of a CIED or a delay in treatment due to a malware attack on an EMR.
Ransomware & Healthcare
In February 2019, the health records of ~15,000 patients from a cardiology unit at Cabrini Hospital in Australia were encrypted via a ransomware incident.3
The hospital was incapable of retrieving a majority of the electronic medical records, even after it shelled out money for the decryption code.3
The private details and confidential health records of patients were part of the cybersecurity breach, and therefore put those patients at higher risk for identity theft.3
In the summer of 2016, MedStar Health Cardiology Associates (MHCA), was struck with a ransomware attack. To top it off, MHCA also learned that a worker directed the secure medical data of 907 patients to an individual email address. The compromised data encompassed health ID numbers, patient names, dates of birth, and social security numbers.4
These examples show that any hospital or healthcare provider can be the target or victim of a cybersecurity attack. These assaults on patients’ medical data, privacy, quality of life, and safety of treatment should be given front and center attention.
Patients are now suing healthcare organizations based on the fallout from cybersecurity attacks. The DCH health system is being sued by four patients in a federal class-action lawsuit claiming that three Alabama hospitals breached medical data privacy laws and interrupted their healthcare treatment after a ransomware attack in October 2019.5 The breach resulted in ten days of shut down for the three hospitals to treat non-urgent cases only.5
This refers to the method of changing computer software and hardware to achieve an objective that is contrary to the programmer’s intent.6
By acquiring unsanctioned entry to diagnostic or therapeutic health apparatus, hackers may possibly set off an assortment of difficulties for healthcare organizations.6
Denial of Service (DOS):
An example would be a denial of service (DoS) attack in which a threat actor aims to render a computer system inaccessible to its intended workers by briefly or indeterminately interrupting services of an Internet-linked server.7
DoS is usually achieved by inundating the server or network with redundant requests in an effort to burden computer systems and thwart partial or all genuine needs from being achieved.7
The increased risk of locking or altering electronic medical records (EMR) being held at ransom will continue as more healthcare organizations switch from paper charts to computer servers.
The term ransomware denotes a type of malware utilized by hackers that initially encrypts files and then tries to extract cash in exchange for the code to unlock the records by stipulating a payoff.1
The cash payment is generally made using a cryptocurrency, so the payment cannot be traced by law enforcement.
With the implementation of any new technology involving computer software and hardware, there is a risk-benefit ratio for patients and providers of healthcare services.
Do patients know when cyberattacks compromise their privacy and electronic medical records?
Can healthcare providers guarantee the quality and safety of EMR’s and cardiac implanted devices which have been compromised by a ransomware attack?
Cyber Attacks on Medical Devices
CIED Technologies (Cardiac Implanted Electronic Device)
One area of liability for licensed physicians and manufacturers is cardiac implanted electronic devices (CIED) which may malfunction when breached with a cybersecurity attack.6
CIEDs could possibly be reprogrammed using illicit methods so that the standard functionality may get corrupted or deactivated.
Distant checking of CIEDs that necessitates recurrent transmission linking a domestic transceiver and the equipment, inserts a supplementary step that could possibly be exposed to a cyberattack.6
In the sphere of patients who are dependent on CIEDs, medical personnel should realize that cybersecurity exposures are frequently deciphered by renewing the firmware, an explicit category of software coded in the hardware of a CIED.6
The FDA in April 2017 released a warning letter to Abbott about cybersecurity deficiencies in ~465,000 pacemakers that utilize radio frequency communications.8, 9
The FDA also released a safety communication on August 29, 2017, called, “Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication,” pertaining to the acknowledged susceptibilities and resultant modification strategies.10
The ICS-CERT published a consultive warning to offer supplementary facts to patients and medical organizations.7
The impact of this advisory was to explain that effective manipulation of these susceptibilities may permit a hacker to obtain unsanctioned entry to a pacemaker and dictate instructions, alter settings, or inhibit the expected pacemaker functionality.7
Specifically A Hacker May Be Able To:10
- “The pacemaker’s authentication algorithm, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications.”
- “The pacemakers do not restrict or limit the number of correctly formatted ‘RF wake-up’ commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life.”
- Select “pacemakers transmit unencrypted patient information via RF communications to programmers and home monitoring units, … these pacemakers store the optional patient information without encryption. These vulnerabilities could be exploited via an adjacent network. Exploitability is dependent on an attacker being sufficiently close to the target pacemaker as to allow RF communications.”
Patient Perspective on Cyber Security Threats
Patients and medical personnel have diverging inclinations about how and when they are alerted of a cybersecurity breach, contingent on the type of hazard posed.6
If a person or hospital system elects to share a cybersecurity matter with the device maker or regulatory body, the threat can be appraised competently by the appropriate authorities.
The manufacturer and FDA, in partnership with healthcare experts and cardiovascular societies, can labor jointly to advance a policy to administer and publicize it to the interested parties.6
By instructing patients prior to a CIED insertion and before a statement of an identifiable threat, patients will be able to grasp the actions required to swiftly evaluate and take action to impending susceptibilities.6
This process, however, does not absolve the manufacturers or medical device providers from punitive or legal immunity.
Patients can take legal action against these entities through law firms that specialize in medical litigation.
In a court of law, there are subject matter experts such as cardiologists who provide expert testimony on how compromised CIEDs or EMR’s can alter a patient’s quality of care and safety of treatment.
Cyber Security for Healthcare Providers & Medical Devices: Threats & Conclusions
Patients can be impacted by cyberattacks in the functionality of a CIED or a delay in treatment due to a malware attack on an EMR.
Hackers simply do not care who they hurt or how it affects the families of these patients.
Irreversible or permanent harm hangs over these patients due to excessive greed and illicit power from domestic or foreign entities who seek only to serve themselves.
Patients who cannot access timely treatment due to a malware attack or who experience a malfunction in a CIED, deserve proper compensation for their adverse medical event.
They should have the right to pursue legal action against the providers of health care services and manufacturers of medical equipment.
DISCLAIMER:Dr. Dalawari shares interesting and relevant medical-legal news in the press. He also shares case verdicts & settlements from the public record. He has no professional or personal relationship to the cases.
References - Sub-Title (h3)
1. Mansfield-Devine, S. Ransomware: taking businesses hostages. Network Security. 2016;10: 8–17. https://perspectives.ahima.org/ransomwareinhealthcarefacilities/
2. Drees, J. Cyberattacks on healthcare providers expected to triple next year: Black Book report. Beckers Healthcare website. https://www.beckershospitalreview.com/cybersecurity/cyberattacks-on-healthcare-providers-expected-to-triple-next-year-black-book-report.html. Published Nov 2020.
3. Kadlec, J. Cyber attacks are costing healthcare organizations millions. Get Crypto Stopper website. https://blog.getcryptostopper.com/cyber-attacks-are-costing-healthcare-organizations-millions. Published March 6, 2019.
4. Freedman, LF. MedStar health cardiology associates employee emails patient information to a personal account and gets fired. Data and Privacy Security Insider website. https://www.dataprivacyandsecurityinsider.com/2016/09/medstar-health-cardiology-associates-employee-emails-patient-information-to-personal-account-and-gets-fired/. Published September 8, 2016.
5. Koplowitz, H. DCH health system patients file federal suit over ransomware attack. Alabama.com website. https://www.al.com/news/tuscaloosa/2019/12/dch-health-system-patients-file-federal-suit-over-ransomware-attack.html. Published Dec 23, 2019.
6. Slotwiner DJ, Deering TF, Fu K, Russo AM, Walsh MN, Van Hare GF. Cybersecurity vulnerabilities of cardiac implantable electronic devices: Communication strategies for clinicians—proceedings of the heart rhythm society's leadership summit. Heart Rhythm Society. 2018;15(7): E61-E67. https://doi.org/10.1016/j.hrthm.2018.05.001.
7. Security Tip (ST04-015). Understanding denial-of-service attacks. The United States computer emergency readiness team (US-CERT). https://www.us-cert.gov/ncas/tips/ST04-015. Published Nov 20, 2019.
8. Smith, MS. 465,000 Abbott pacemakers vulnerable to hacking, need a firmware fix. CSO Online website. https://www.csoonline.com/article/3222068/465000-abbott-pacemakers-vulnerable-to-hacking-need-a-firmware-fix.html. Published Sept 4, 2017.8. Smith, MS. 465,000 Abbott pacemakers vulnerable to hacking, need a firmware fix. CSO Online website. https://www.csoonline.com/article/3222068/465000-abbott-pacemakers-vulnerable-to-hacking-need-a-firmware-fix.html. Published Sept 4, 2017.
9. Boyd, SM. Warning letter Abbott (St Jude medical Inc.) MARCS-CMS 519686. FDA.gov website. https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/abbott-st-jude-medical-inc-519686-04122017. Published April 12, 2017.
10. ICS Advisory (ICSMA-17-241-01). Abbott laboratories’ accent/anthem, accent MRI, assurity/allure, and assurity MRI pacemaker vulnerabilities. https://us-ert.cisa.gov/ics/advisories/ICSMA-17-241-01. Published August 29, 2017.