The patient lying on the emergency table in front of Paul Pugsley was having a stroke. Time was running out. Pugsley, an emergency medicine resident of Maricopa Medical Center, knew that he had to send the patient to the scanner.
But when Pugsley peeked at the computer screen on the side of the room, he saw a pop-up message requesting payment in bitcoin. A few minutes later, he was told that the same message had closed the scanner: he had to help the patient without knowing if the stroke was caused by a bleeding or clot, information that is usually essential to the course of treatment .
After a few minutes of frenzied bypass, the patient – in fact a medical dummy – was expelled from the room (prognosis: survival, but serious brain damage). The flashing ransom note was part of a simulation designed to expose doctors such as Pugsley to the real threat of cyberattacks on their hospitals.
Reports show that ransomware and other cyberattacks are on the rise – and that health care is one of the main targets. This week, Israeli researchers announced the creation of a computer virus that can add tumors to CT and MRI – malware designed to trick physicians into misdiagnosing high-profile patients, reports Kim Zetter. The Washington Post. Despite the growing threat, the vast majority of hospitals and doctors are unprepared to deal with cybersecurity threats, even though they pose a major public health problem.
The health care industry is increasingly relying on Internet-connected technology – from patient records and lab results to radiology equipment and hospital elevators. It's good for patient care because it facilitates data integration, patient engagement and clinical support. On the other hand, these technologies are often vulnerable to cyberattacks, which can siphon patient data, divert drug infusion devices to exploit cryptocurrency, or shut down an entire hospital until A ransom is paid.
"If web-disrupted systems, whether caused by an adversary or by an accident, can have a huge impact on patient care," says Beau Woods, a cybersecurity advocate and cyber security researcher with the Council of Europe. ;Atlantic.
The Pugsley case in the simulation mimicked the spring 2017 WannaCry cyberattack, which infected thousands of computers and paralyzed the UK's national health service. In 2017, the Cyber Security Working Group of the Health Care Industry convened by the US Department of Health and Human Services concluded that the cyber security of health care was in a "critical state". Experts say that healthcare is far behind other industries, such as the financial sector, to protect its IT infrastructure. And unlike finance, a health care failure can end in injury or even death.
There is no evidence that a patient died directly from WannaCry. But the attack paralyzed thousands of hospital computers and diagnostic equipment, forcing doctors to manually transfer lab results to hospitals and cancel nearly 20,000 patient appointments. The attack targeted vulnerabilities in the Microsoft Windows operating system, data encryption, and the holding of computer systems for ransom in bitcoins. Although WannaCry was finally blocked, Woods said health facilities continued to be vulnerable to attacks of this magnitude.
"I want to sound the alarm without being alarmist," Woods says. "The preconditions for something bad to happen are there. We know there is fire on the pitch, we just do not know which match will enlighten him. "
Billions of threats
NotPetya was one of the biggest cyber attacks of all time. The June 2017 attack caused $ 10 billion in damage to crippled businesses and computers worldwide, from Tasmania to Copenhagen, including those of the Massachusetts-based Nuance Medical Transcription Service. The company's systems were shut down for several weeks, preventing thousands of health care delivery organizations, including Sutter Health, a northern California health care system, from using its programs .
Sutter Health, which serves more than 3 million patients, has been prepared. They were able to react quickly to the attack and leave the system, said Jacki Monson, chief officer for information security and privacy and confidentiality information. But in the space of a day, there was still a backlog of over a million files to transcribe.
"It could have easily created a patient safety problem – if you have transplant patients or are undergoing surgery, you need all these medical notes," she says.
Sutter Health deals daily with innumerable cyber attacks. According to Monson, he has been the victim of about 87 billion cyber-threats in 2018 and uses artificial intelligence technology to sort and evaluate them. "We prioritize them – a human can not look at so many billions." Depending on the nature of the threat, the team may apply hotfixes or block the e-mail address that they expect from a phishing attack.
According to Monson, the number of threats that Sutter Health faces is probably high, because of the size of the system, but that number would still be in the order of billions for any hospital or health care delivery organization. And it only takes a threat to break through. "Most organizations with active cyber attacks do not find it for 18 months or more," says Monson. "It's not a measurement of when or if – it probably already happens and you do not know it."
Sutter Health's strong cybersecurity program, however, is an exception rather than the rule. Most hospitals do not have the resources to monitor the threats to their systems and many of them may not even realize that they are a concern.
Medical device manufacturers and the Food and Drug Administration are well aware of the challenges of cybersecurity in healthcare: the FDA has set guidelines on how medical device manufacturers must manage the risks associated with front-end security and after the products were put on the market and organized a workshop on devices. cybersecurity at the end of January. At the workshop, a group of device manufacturers (including big names such as Abbott and Medtronic) are committed to working closely with hackers and security researchers on vulnerabilities.
But hospitals and doctors have not kept pace with this progress. "We have good tools in the middle of the supply chain, at the FDA level, with the manufacturers," Woods said. "We do not see it just when we are providing care."
The costs of black boxes
The technologies used within hospitals vary considerably: some medical devices are new, but others are manufactured by companies that are no longer in business or use outdated software with security vulnerabilities. Pacemakers and other implanted devices connected to the Internet can be hacked. Human error also opens loopholes in systems: on the data privacy side, most of the violations were caused by employee errors or unauthorized disclosures, according to a study published in JAMA Internal Medicine.
In addition, experts say hospitals often do not know what systems work on the devices they use every day. "When WannaCry hit, hospitals struggled to find out which medical devices were affected," said Christian Dameff, a cybersecurity researcher and computer scientist at the University of California at San Diego Health. "These devices are often black boxes for hospitals."
This does not mean that hospitals do not pay all pay attention to their computer systems. It's just that their goal is to focus on another type of security. Data security practices in hospitals generally give priority to protecting the privacy of patients, as organizations may be fined under the HIPPA Act for exposing their data. "It allows them to remain silent [the fact] devices that may not have information about patient health are at the same risk, "says Jeff Tully, a cybersecurity researcher and physician at Davis Medical Center at the University of California, Davis.
The problem is that the vast majority of hospitals do not have full-time employees in the field of cybersecurity, explains Dameff. "There is a lack of awareness and resources," he says. He notes that small rural hospitals in underserved communities probably do not have the money to hire staff or update their systems. And without the security staff, they may not know or be able to implement the security updates announced by a device company.
Without protection, it can be difficult for staff members already present to be aware of the attack. Nurses and doctors, who already have a lot to do, may not recognize a hacked device. If, for example, an infusion pump delivering a drug was infected with malicious software generating cryptocurrency, which slowed down the administration of the drug, this device could simply be removed from the chamber of a patient. Patient and replaced by the same model, said Dameff, a solution that would not work to address the underlying problem and could affect patient care.
"One of the scariest things would be a vulnerable medical device, but it's unassailable," Dameff said. "What can we do, what do we say to patients?" There is no regulatory body that requires hospitals to update equipment – and it may not be feasible for them – if equipment costs $ 4 million can not be repaired, the hospital may not have the means to replace it with something new, "he says." They could say, "We have no choice."
Take care of patients
In November, the computer systems at East Ohio Regional Hospital and Ohio Valley Medical Center suddenly stopped working. They had been hit by a ransomware attack – forcing hospitals to divert patients from the emergency room and back to a paper mapping system. Staff had difficulty accessing bedside scans and had limited access to CT scans, says Neal Aulick, Medical Director of Hospital Emergency Services. It was a difficult time, but Aulick notes that "looking back, we did not see bad results, I think we handled the situation very well," he says.
There is a tension between cybersecurity experts who want to secure hospital systems and physicians specializing in patient care. It is essential that clinicians understand the importance of cybersecurity because they are in direct contact with patients who use and are affected by medical devices, but this can be difficult to sell for busy clinicians. And without commitment from hospitals and doctors, says Dameff, all efforts by the FDA and medical device manufacturers to improve cybersecurity are in vain. This is what he calls the last mile problem: "This is the last step where a provider or hospital should find a problem or deploy a [software] piece. It's really difficult, "he says. "We will have all this good work, as we are supposed to do, but a doctor does not install the update."
As an emergency physician and medical director, Aulick says that he recognizes the risks of internet-connected systems, but that this needs to be weighed against the benefits of speed and information that's important. they allow. "When you have such a violation, the answer is exaggerated," he says. Cyber security teams will enhance security with additional passwords or authentication, making systems safer, but can also slow down processing.
Sung Choi, an assistant professor in the Department of Health Management and Computing at the University of Central Florida, says this is a common response from doctors. "Hospitals are trying to improve safety, but in practice, clinicians can bypass these measures, but they are not as effective," he says. "Safety adds a disadvantage by design. The next step is to determine how to improve it without the disadvantages. "
And that can really be embarrassing. Even patient privacy breaches, which may appear to be distinct from patient care, can affect health: Choi's research shows that data breaches increase the death rate within 30 days of a hospital. This may be explained by the fact that organizations' efforts to recover from a data breach can affect normal operations and reduce resources allocated to patient care. "It introduces a lot of changes in a hospital," he says. "They might need to upgrade the software or retrain the staff, which could affect the clinical workflow."
This is precisely what worries doctors like Aulick. And one of the most difficult tasks facing cybersecurity experts is to understand the importance of a growing and relatively new problem. In fact, little research has been done on patient health during and after cyber security attacks against hospitals.
But there are some analogies. In 2017, research published in the New England Journal of Medicine found that people who had a heart attack and who were being led to the hospital while a marathon was running were more likely to die in the month than people taken to hospital on another day : probably because the closing of roads and the diversion of resources had caused delays in the patient to worry. According to Tully, the comparison is flawed, but that is what worries cybersecurity experts when they consider ransomware attacks. "Anything that delays or degrades care will affect outcomes," he says.
Describing cyberattacks as security issues helps experts convince doctors and clinicians to implement good cybersecurity practices, when they might think it's just a matter of order administrative, explains Monson. "Telling more stories about the impact on patient safety resonates among physicians," she says. "If we're not talking about patient safety, it's unlikely that doctors will understand how it involves them."
Addressing cybersecurity in health care situations substantially will not be easy and will require the cooperation of everyone from doctors, nurses, IT professionals and manufacturers. In practice, this might be like adding cybersecurity training to medical schools or using more and more simulations that place clinicians like Pugsley in situations that mimic a cyberattack. Dameff says, "We do not want to turn clinicians into hackers, but is it reasonable to have an hour or two or more of cybersecurity and patient safety training at a medical school?"
The education of doctors is important and Monson says that incentives to encourage hospitals to invest will also be essential. "And at some point we will need regulatory intervention to press the dial," says Monson. "It does not seem like volunteering works. For patient safety, we should not take risks. "
At the present time, if something like WannaCry were to hit the United States, Woods said that the infrastructure of our hospitals would not be prepared. "We will have to find an answer on the fly." Ongoing efforts to bring best health practices aware of best practices are exciting, and there is a demand for information from patients and investors. But lives are always in danger, he says. "There are a lot of things going on, I'm afraid it's not fast enough."