Health Care Cybersecurity: Is There a Role for the Anesthesia Professional?

Julian Goldman, MD; Jeffrey Feldman, MD

Anesthesia CybersecurityKeeping patients safe during anesthesia care is a multifaceted challenge. The skills and vigilance of the anesthesia professional are necessary, but not sufficient. The ergonomics of the care environment, systems of care, communication between teams and many other factors ultimately impact patient safety. Now, it seems we need to add cybersecurity threats as another dimension to the patient safety battle.

One of the most famous health care cybersecurity breaches was the global Wannacry ransomware attack that disabled 600 organizations in the British National Health System in 2017. There were no deaths reported related to this attack, but the reduced access to health care is well documented. The impact on patient wellness is unknown. The cost to the health system was estimated to be almost 6 million pounds.1 Unfortunately, cyberattacks continue to increase in frequency requiring hospital systems to spend significant resources to prevent any impact on patient care services. At the current time, health care institutions are predicted to experience 2-3 times the average number of attacks on other industries,2 which can reach thousands of cyberattacks per month.

Attacks on health care organizations remain an international problem. One university hospital in the Czech Republic was forced by a cyberattack to delay surgery and transfer patients to other institutions for care.3

This hospital was a major testing center for COVID-19 so its ability to manage the pandemic through testing was also impaired. In the United States, a heightened cyberattack threat was identified in October 2020, and there have been a number of successful attacks on health care organizations that have disrupted health care services.4 For example, on October 28, 2020, the same day the New York Times published an article on the increased threat, a successful cyberattack incapacitated the electronic medical record system at the University of Vermont, impacting six hospitals within the care network.5 While every aspect of patient care was affected and numerous patients were unable to receive care, the reported impact on patients undergoing treatment for cancer was particularly heart-wrenching. As a result of the cyberattack, all of the records describing the chemotherapy care protocols were inaccessible. Patients arriving for chemotherapy treatments were denied care simply because the care providers could not access their records and determine how to treat them safely. It took almost one month to restore the recordkeeping systems.

Cyberattacks can take different forms. Ransomware attacks are obvious as they disable workstations or EMR databases, and the perpetrators of the attack offer to restore functionality if the attacked system owners pay a fee. Although payments do not generally result in the restoration of service and are not recommended, many victims have paid the cybercriminals. If ransomware infects and encrypts a system, it also has to be assumed that data could have been stolen—or “exfiltrated”—opening the door for the abuse of patient health information (PHI). Other types of cyberattacks may not be so obvious. Many medical devices are interconnected to receive and send data on the hospital network, and are therefore vulnerable to cyberattacks. Cybercriminals can potentially alter alarms and device functionality remotely, and the change may not be apparent until a patient suffers an obvious harm.

Health Care Cybersecurity

Why do Cybercriminals Target Health Care Systems in Particular?

Health care data is especially valuable as a rich source of both personal and financial information and can sell on the dark web at a premium compared with simple credit card data. The high value of data combined with relatively weak cybersecurity infrastructure, makes health care institutions very attractive targets. Unfortunately, the COVID-19 pandemic has magnified the potential impact of a successful cyberattack on patient care, creating a unique opportunity to exploit the vulnerability of health care IT systems. Indeed, the increased cyberattacks on health care organizations that followed the notice in October 2020 of an increased threat level may not be financially motivated. The recent increase in attacks targeted at health care institutions follow particularly successful efforts by U.S. government agencies to disable the ability of hackers to impact the American election process. The current increase in attacks may be a retaliation, and an effort to make it clear that these hackers are still highly effective.

Unfortunately, one cannot deny the possibility of simple malevolence directed at vulnerable populations as a motivator for these cyberattacks. Health care institutions are highly vulnerable due to the ever increasing reliance on Information Systems (IS) to provide patient care, but many lack the resources of large corporations to invest in cybersecurity. Sick patients, especially during a pandemic, provide an attractive target to criminals due to the likelihood of a negative impact on these patients, and the possibility to create fear or panic.

Can Cyberattacks be Prevented?

Kevin Mitnick, one of the most successful early hackers, was active from the 1980s until 1995 when he was jailed for communication-related crimes. He has since become a computer security consultant, but the story of his days as a hacker makes for interesting reading.6 One important lesson is that the strategy of “social engineering” was essential to his success and remains the primary strategy of hackers today. According to Mitnick, “Social engineering is using deception, manipulation, and influence to convince a human who has access to a computer system to do something, like click on an attachment in an email.”6

That same approach continues to be a primary hacking strategy and can be extremely effective given the ubiquity of email use in modern institutions.

IS departments are primarily responsible for working to ensure that cyberattacks are not successful. One strategy is to use the architecture of hardware and software systems to create layers of security (called “defense in depth”) that complicate the navigation of the system by an attacker and limit the spread of malware. Implementing user policies that can reduce the success of social engineering is another important strategy. Some of the more visible IS strategies for anesthesia professionals are blocking of certain websites or access to personal email while using a network or computer at work. Commercial site-monitoring services monitor websites to identify those that may contain malware and provide vulnerable organizations with the information to block access to those sites from internal networks.

What is the Role of the Anesthesia Professional in Health Care Cybersecurity?

The American Society of Anesthesiologists (ASA) recently formed a cybersecurity task force (CSTF) with the goal of understanding the scope of impact on anesthesia practice by cyberattacks, and collaborating with other organizations to develop recommendations for keeping patients safe. An introductory article on the task force in the ASA Monitor provides background on the scope and scale of potential risks to our patients from cyberattacks.7 Given that we are not trained as information system professionals, is there a role for anesthesia professionals in keeping patients safe from the effects of cyberwarfare?

In response to the U.S. government advisory “Ransomware Activity Targeting the Health Care and Public Health Sector” jointly released by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) including the FDA,8 the APSF Committee on Technology released guidance that can be adopted by every anesthesia professional to reduce the risk to patients from cyberattacks (Table 1).9 The guidance includes personal strategies like email vigilance and password security as well as departmental strategies. Simulations of downtime events are recommended by the committee and should encompass all of the processes needed to maintain patient care when one or more information systems are not functioning. Consider, for example, a polytrauma patient admitted to the emergency department and found to require urgent transport to the operating room to control bleeding. Will you be able to manage the continuum of complex care required by this patient without computer systems as they move from the ED to the operating room to the ICU? How will the urgency be communicated so that the OR is ready? How will blood bank and laboratory services be coordinated? Will pharmacy supplies be available? How will you know who is on call for a particular service? What computer systems may still function? Are the paper forms adequate to support continued documentation and care processes? The results of these simulations can inform the development of procedures for care in the event of a cyberattack and provide focus for training care providers.

TABLE 1: Cybersecurity Recommendations.

In response to the ongoing threat of cyberattacks on health care institutions, the APSF Committee on Technology recommends that all anesthesia professionals take the following actions.
STRENGTHEN DOWNTIME PROCEDURES
  • Review existing downtime procedures.
  • Engage other perioperative leaders in planning.
  • Inform all providers about how to continue patient care using downtime procedures.
  • If possible, simulate a downtime event.
INCREASE VIGILANCE
  • Manage your email! DO NOT ENTER YOUR SYSTEM PASSWORD OR ID in response to any request by email. Report suspicious emails to IS services
  • Cybersecurity attacks can affect any network-dependent medical device. Be vigilant for unexpected changes in settings or behavior of alarms or function of devices like IV pumps and ventilators.
REVIEW REPORTING
Report medical device and system performance issues ASAP to hospital IS and/or biomedical engineering.

More complete recommendations will be updated as they become available at https://dev2.apsf.org/news-updates/the-apsf-issues-preliminary-guidance-on-cybersecurity-threats-to-u-s-health-care-systems/

Fortunately, government and other agencies are actively working to identify cyberattack risks and reduce or eliminate the impact. The problem continues to grow, despite the vigilance and support of the public and private sectors to address these cybersecurity hazards. Like human viruses, malware, once introduced into cyberspace, persists as an ongoing risk to unprotected computer systems. Cybercriminal enterprises do not seem to be inhibited from victimizing health care systems.8

Given the degree to which health care depends upon computer systems and networked devices, cyberattacks will continue to be a growing patient safety concern. Individual habits managing email and websites while at work can reduce the risk of a successful attack, but, as always, it is prudent to be vigilant for medical device and information systems malfunctions, and maintain backup plans to continue to provide safe care in the event of device and system failures.

 

Julian M. Goldman, MD, is an anesthesiologist at Massachusetts General Hospital; medical director of Biomedical Engineering at Mass General Brigham; director, Medical Device “Plug and Play” Interoperability & Cybersecurity Program (MD PnP); and convener, ISO/TC 121/WG 3 Cybersecurity for anaesthetic and respiratory equipment.

Jeffrey Feldman, MD, MSE, is chair, APSF Committee on Technology and professor of clinical anesthesiology at Children’s Hospital of Philadelphia, Perelman School of Medicine.


The authors have no further conflicts of interest.


References

  1. Ghafur S, Kristensen S, Honeyford K, et al. A retrospective impact analysis of the WannaCry cyberattack on the NHS. npj Digit Med. 2, 98 (2019). https://doi.org/10.1038/s41746-019-0161-6. Accessed December 21, 2020.
  2. 2020 Healthcare Cybersecurity Report, https://www.herjavecgroup.com/wp-content/uploads/2019/12/healthcare-cybersecurity-report-2020.pdf. Accessed December 21, 2020.
  3. Bizga A. Mysterious cyberattack cripples Czech hospital amid COVID-19 outbreak, https://hotforsecurity.bitdefender.com/blog/mysterious-cyberattack-cripples-czech-hospital-amid-covid-19-outbreak-22566.html Accessed November 18, 2020.
  4. Perlroth, N. Officials warn of cyberattacks on hospitals as virus cases spike. New York Times. Oct. 28, 2020. https://www.nytimes.com/2020/10/28/us/hospitals-cyberattacks-coronavirus.html Accessed November 26, 2020.
  5. Barry E, Perlroth N. Patients of a Vermont hospital are left ‘in the dark’ after a cyberattack. New York Times. November 25, 2020. https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html? Accessed November 26, 2020.
  6. Mitnick K. Ghost in the wires—my adventures as the world’s most wanted hacker. Little, Brown and Co. New York, 2011.
  7. Goldman JM, Minzter B, Ortiz J, et al. Formation of an ASA Cybersecurity Task Force (CSTF) to protect patient safety. ASA Monitor. September 2020;84:34. https://doi.org/10.1097/01.ASM.0000716908.49348.5a Accessed December 10, 2020.
  8. CISA Alert (AA20-302A), October 28, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-302a Accessed December 10, 2020.
  9. The APSF issues preliminary guidance on cybersecurity threats to U.S. health care systems. APSF Newsletter online. November 2, 2020. https://dev2.apsf.org/news-updates/the-apsf-issues-preliminary-guidance-on-cybersecurity-threats-to-u-s-health-care-systems/ Accessed November 10, 2020.