With the WannaCry ransomware attack fresh on our minds, a new report has just been published by the US Department of Health and Human Services, (HHS) Cyber Security Task Force on improving cybersecurity across the health care industry.
Although it presents recommendations that are well worth reading, what is particularly striking about this report is the focus it has on cyber security and patient safety. The Task force producing the report writes that it reflects “a shared understanding that for the health care industry, cyber security issues are, at their heart, patient safety issues.” Further to this, they write, “As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve”.
An editorial in the BMJ (formerly the British Medical Journal) last month contained essentially the same message when it highlighted “the poor state of cybersecurity in the NHS and the failure to recognize it as a fundamental matter for patient safety.”
The BMJ editorial cites risks incurred through “the extremely fragmented governance of cybersecurity in the NHS”, and that this was a core issue “underpinning the recent attack, and affects healthcare more profoundly than other critical sectors such as financial services, energy or central government”. If this sounds familiar, it is because these issues can be found across many countries, including Canada. And while a considerable amount of effort is being undertaken to support privacy and cybersecurity best practices across Health Authority hospitals and health care institutions here in British Columbia, there is much to be done to provide the same level of support in physician offices and dental clinics.
Cybersecurity risks to networked medical devices and connected IT networks cited in the HHS report which can impact patient safety include:
- Failure to provide timely security software updates and patches to medical devices and networks to address related vulnerabilities
- Malware which alters data on a diagnostic device
- Device reprogramming which alters device function by unauthorized users, malware, etc
- Denial of service attacks which make a device unavailable
- Unauthorized access to the health care network
- Uncontrolled distribution of passwords, disabled passwords, hard-codes passwords for software intended for privileged device access
- Security vulnerabilities in off-the-shelf software due to poorly designed security features
- Misconfigured networks or poor network security practices
- Open, unused communication ports on a device which allows for unauthorized, remote firmware downloads.
Thes risks impact confidentiality, integrity and availability of health care information in varying degrees, and in different ways. As do, the HSS report cites, risks arising from the complex mix of applications, programs and interfaces from a variety of vendors supporting Electronic Health Records (EHRs). But, according to the HSS report, they all have a direct effect on patient safety.
This raises some important questions.
When it comes to managing health care information, are clinics doing enough to protect patient safety? And if more must be done, how can clinicians be better supported, so that their patients are not put at risk?
We will be writing more about recommended privacy and cybersecurity best practices for health care clinics here in western Canada. In the meantime, there is much you can do already. When you have a moment, check out our growing collection of posts on Best Practices.
If you need help, contact us.