With all of the advantages that come from electronic health records and connected devices, some distinct security risks also exist. Healthcare is seeing these risks grow in the form of ransomware, phishing attacks, and cybersecurity breaches. Healthcare has become one of the industries most vulnerable to cyberattacks, and one with the most to lose. As one of the highest-technology hospital departments, perioperative services has a significant stake in maintaining cybersecurity, and with it, patient safety.
A new study by cybersecurity company Censinet reveals a link between cyberattacks and increased patient death rates. Surveys were collected from 600 healthcare organizations across the US, and over 40% reported cyberattacks in the past 2 years. Of that pool, 70% reported longer hospital stays and delayed tests and procedures; 36% saw more complications from medical procedures; and 22% reported increased death rates.
In 2020, an important cybersecurity milestone passed: the first recognized cyberattack related death in healthcare. On September 10, 2020, Dusseldorf University Hospital was dealing with the fallout from a ransomware attack that disabled more than 30 internal servers. Because of this handicap, a female patient in need of emergency care was re-routed to a hospital almost 20 miles away. Due to associated delays in care, the patient died, with the German press attributing her death directly to the ransomware attack.
More cases are surfacing, as an ongoing investigation in Alabama attributes an infant death to a ransomware attack in 2019. Springhill Medical Center in Alabama experienced a cyberattack that resulted in computer systems being disabled for eight days, and during which time medical records— including prenatal data—were inaccessible. A wireless tracker system used to locate medical staff was out of order, and fetal tracing information was unavailable. The investigation is finding that fewer healthcare providers were available to monitor the patient’s labor and delivery, and important layers of safety were compromised.
The infant at Springhill was born with the cord tightly wrapped around her neck and with severe brain damage. She passed away nine months later. A key finding in the case so far is that Springhill failed to notify the mother about the cyberattack and outages. She now states that if she had known, she would have gone to a different facility to deliver.
These cases place new emphasis on the responsibilities of hospitals to maintain cybersecurity, risk management, and response plans to protect patient safety.
Comparitech, a technology research organization, released its 2020 report, revealing that attacks on US healthcare organizations cost $20.8 billion. This figure included 18 million patient records and encompassed 92 individual ransomware attacks that affected over 600 clinics, hospitals, and organizations. Ransomware payment amounts varied from $300,000 to $1.14 million.
Ransom payments are not the only costs hospitals incur from cyberattacks. Downtime from a cyberattack may last from hours to even weeks and is costly in different ways—including cancelled procedures, delayed care, and increased staffing needs. Basic daily tasks can take much longer without the technology tools on which clinicians rely. A 2017 study by AC Group estimated that the average cost per minute of organizational downtime is $8,662.
Over the past several years, the Internet of Things (IoT), or connected devices, has exploded and become quite common. Items like watches, locks, cameras, and even refrigerators are now online. This trend is in healthcare as well, with systems such as pharmacy refrigerators, medication dispensing systems, patient monitoring devices, and implanted insulin pumps and cardiac pacemakers. The more high-tech healthcare becomes, the higher is the cyberrisk associated with that tech.
Cyberthreats in the medical community have previously been associated with hacks directly on main systems, which these days are fairly well-protected. According to IoT Techtrends, it is easier for cybercriminals to bring a hospital down by attacking other items in the patient care ecosystem, including security cameras, lighting, vacuum tube systems, and cardiac monitors. Even disabling the elevator systems in a large hospital can wreak havoc that affects patient care.
IoMT devices present a vulnerable gateway into larger connected systems. With the number of connected devices increasing each year, the risk grows. COVID-19 has contributed to the increase in the connected devices market due to the higher usage of telehealth and remote patient monitoring devices (see OR Manager’s October 2021 issue). Deloitte predicts that the connected medical device market will grow from $14.9 billion in 2017 to $52.2 billion in 2022—a 350% increase.
The OR is home to a substantial proportion of a hospital’s connected systems and devices. It is up to OR leaders, the C-suite, the IT team, and important vendors to manage the risk in a collaborative manner. Leaders and clinicians who have direct impact on the type and number of devices and attached workflows need to be involved. Consider the following statistics:
• The average hospital room contains around 15-20 connected medical devices.
• The number of IoMT devices in a hospital can be double the number of laptops and smartphones.
• Medical devices have an average of 6.2 vulnerabilities— each.
• Sixty percent of medical devices are at end-of-life. This means no patches or upgrades are available.
• Some medical devices in use by hospitals have a lifespan of 20 years or more. This makes them prime hacker targets because of older technology.
• As of 2020, more than 25% of cyberattacks in healthcare delivery organizations involve IoMT.
The best cybersecurity measures are proactive ones. At the 2021 OR Business Management Conference, Debra Bruemmer, BS, MBA, CISSP, Senior Manager, office of information security at Mayo Clinic, gave an insightful presentation on cybersecurity resilience.
Bruemmer explained the importance of establishing a set of minimum acceptable security requirements for medical devices, and then measuring each device against that bar. OR managers routinely have an active role in equipment procurement for their departments by making recommendations and advocating for capital purchases.
It is important that perioperative leaders learn to assess medical equipment against cybersecurity expectations set by the organization, and to ask the right questions when evaluating new equipment purchases. Cybersecurity evaluation should be embedded within the purchasing processes for the organization. Some of those questions should be:
• What is the expected lifespan of the device, and can it be secured over that entire lifespan? (For example, the Windows 10 end-of-life, meaning when support for the operating system is slated to end, is in 2025.)
• Does the device allow remote connectivity? (Devices like pacemakers that allow manufacturers to download information and change settings can be more vulnerable to hackers.)
• Does the manufacturer readily share cybersecurity data and testing?
• Does the device receive routine patches (updates)?
• Does it have hardcoded passwords that can be exploited?
Other questions should be guided by your individual organization’s expectations.
It might seem like cybercriminals would seek to strike big targets such as large healthcare organizations or multispecialty health systems. Reports, however, show different trends.
According to the largest study so far of hospital data breaches, published in AJMC (table, “Indices of US hospitals with data breaches”), small and medium-sized hospitals, which typically have a smaller cybersecurity budget and fewer safeguards, see more attacks. Hackers know this, which puts community hospitals and smaller organizations at higher risk. Targets also seem to be more concentrated in the Midwest and South regions of the country, rather than the more populated coastal areas.
One such small hospital in the Midwest is Citizens Memorial Hospital (CMH), Bolivar, Missouri. Although the hospital size is small, the CMH system covers several counties and a full range of outpatient and long-term care services. CMH is known for being an early adopter of electronic health records and has attained the prestigious Healthcare Information and Management Systems Society Stage 7 for systems maturity.
Sarah Hanak, MSN, RN, SCRN, chief nursing officer of CMH, is a proponent of nurse leader education and empowerment, supervising successful leaders of nursing services in the OR, ICU, ED, and ASC, among others. In a discussion about cybersecurity, she was surprised to learn of the accelerated risk for small hospitals like CMH, specifically through IoMT devices. Hanak’s thoughts immediately went to the role that nurse leaders could play in this dilemma.
“When nurse managers look at new equipment, their primary concern is how to use it, how to train people, and how to write the policy. We tend to leave the IT stuff to others,” she says. “As the potential for patient harm grows, nurse leaders definitely need to have the competency to sit at the table on these issues and be part of a collaborative effort.”
While the Food and Drug Administration (FDA) is tasked with patient safety, including cybersecurity vulnerabilities from medical devices, the truth is the FDA does not test all medical devices for vulnerabilities. It is the manufacturer’s responsibility to do so.
Much work has been done to develop consistent standards for device manufacturers, and in 2020, the International Medical Device Regulators Forum published a detailed manual titled “Principles and Practices for Medical Device Cybersecurity.” The document recognizes that cybersecurity is the responsibility of many stakeholders—including hospitals.
The Centers for Medicare and Medicaid Services (CMS) and its accreditation organizations do not yet include requirements for networked device cybersecurity. The Office of Inspector General put forth a new recommendation in June 2021 for CMS to see to this discrepancy and present a plan for addressing cybersecurity for quality oversight of hospitals.
In October 2021, The Joint Commission issued the “Organization-wide cybersecurity: Creating a culture of defense” report, in which it encourages the “human firewall” concept. The report also lists several actions that leadership can take to prepare for and prevent cybersecurity events (sidebar, The Joint Commission’s “Quick Safety”).
It is critical for hospitals to be ready for IoMT cybersecurity challenges to address patient safety, protection of finances, and meet future accreditation standards.
Where can perioperative leaders begin when trying to facilitate greater patient safety through cybersecurity measures? The following tips are gleaned from several sources, including Bruemmer’s presentation at the OR Business Management Conference in September 2021:
• Start with an assessment and list of all programs and connected devices;
• Assess each one on a standardized risk scale—there are many of them readily available;
• Collaboratively decide what the organization’s minimum standards are;
• Decide how to intelligently monitor those devices that do not meet the agreed on minimum standards;
• Integrate cybersecurity risk measurements into procurement processes;
• Re-evaluate over time, because device security can “drift” as it becomes older and not as supported;
• Establish monthly standardized reporting and accountability within your organization.
These steps will not happen overnight, and one person alone will not successfully put them in place. But every step taken by leadership to make their facilities more secure is a step in the right direction. Collaborative work on cybersecurity is a step towards making patients safer in your care. ✥
—Karen Stockdale, MBA, BSN, RN
Bischoff P. Ransomware Attacks on US Healthcare Organizations Cost $20.8Bn in 2020. Updated March 10, 2021. Comparitech. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/#How_much_did_these_ransomware_attacks_cost_healthcare_organizations_in_2020.
Bruemmer D. Mayo Clinic cybersecurity resilience program. OR Business Management Conference. 2021. https://www.orbusinessmanagementconference.com/speakers/.
Ponemon Institute. The impact of ransomware on healthcare during COVID-19 and beyond. September 2021. https://www.censinet.com/ponemon-report-covid-impact-ransomware/.
Cimpanu C. First death reported following a ransomware attack on a German hospital. ZDNet. September 17, 2020. https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/.
Deloitte Centre for Health Solutions. Medtech and the Internet of Medical Things. July 2018. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Life-Sciences-Health-Care/gx-lshc-medtech-iomt-brochure.pdf.
Dontov D. What businesses are the most vulnerable to cyberattacks?Forbes. January 19, 2021. https://www.forbes.com/sites/theyec/2021/01/19/what-businesses-are-the-most-vulnerable-to-cyberattacks/?sh=20fd9fc13534.
Goar E. The price of EHR downtime. For the Record Magazine. 2017. https://www.fortherecordmag.com/archives/1117p24.shtml.
Hufstader M G, Noblin A, Rutherford A, et al. Data breach locations, types, and associated characteristics among US hospitals. AJMC. February 2018. https://ajmc.s3.amazonaws.com/_media/_pdf/AJMC_02_2018_Gabriel%20final.pdf.
Lawrence C. Internet of medical things (IoMT) and cybersecurity woes. Iot Tech Trends. 2021. https://www.iottechtrends.com/internet-of-medical-things-cybersecurity-woes/.
McKeon J. Lawsuit links baby death to AL Healthcare ransomware attack. Cybersecurity News. October 1, 2021. https://healthitsecurity.com/news/lawsuit-links-baby-death-to-al-healthcare-ransomware-attack.
Medical Device Cybersecurity Working Group. Principles and practices for medical device cybersecurity. International Medical Device Regulators Forum. March 18, 2020. http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf.
Morgan S. Patient insecurity: Explosion of the internet of medical things. Cybercrime Magazine. February 19, 2019. https://cybersecurityventures.com/patient-insecurity-explosion-of-the-internet-of-medical-things/.
Office of Inspector General. Medicare lacks consistent oversight of cybersecurity for networked medical devices in hospitals. US Department of Health and Human Services. June 21, 2021. https://oig.hhs.gov/oei/reports/OEI-01-20-00220.asp.