The consequences of the health care industry doing nothing more to combat cyberattacks could be life or death for many affected patients, according to medical cybersecurity experts testifying before the House Energy and Commerce Committee on Tuesday.
“I think one of the big problems would be in the manipulation of data,” said Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC), explaining that attackers could change random patient records and demand a ransom to reveal which records are changed. In the meantime, those changes could result in patients receiving the wrong treatment, being given medication that they are allergic to, or being improperly diagnosed. “That actually could have a huge impact on patient care and safety.”
“That also would further break down trust and potentially the adoption of new technology,” added Terry Rice, vice president of IT risk management and chief information security officer at Merck.
Rice added that the number of cyberattacks against the health care industry actually reported today are likely the tip of the iceberg.
“Unfortunately, I believe these instances underrepresent the risk we are facing in the industry,” said Rice. “First, the total number of cybersecurity incidents is significantly underreported due to current disclosure laws. No. 2, electronic evidence gathered through normal security monitoring suggests there are a lot more breaches and incidents than what is currently reported.”
According to Anderson, a critical problem in securing health information is that the industry is full of small businesses that can’t keep up with the practices needed to secure their patients’ data.
“The health care industry consists of many small to midsized businesses that lack the capital and personnel to deal with all but the most basic cybersecurity issues,” agreed Rice.
According to the witnesses, participating in information sharing organizations such as NH-ISAC can fill in the gaps for these small businesses.
“I do believe Congress has a role in helping to foster these sharing communities,” said Rice.
“One person’s defense is everybody else’s offense,” said Anderson, adding that participation in information sharing efforts should be voluntary, rather than mandated by the government. “When you share because you want to share, that’s different than when you have to share.”
Rice also praised the NIST Cybersecurity Framework as a resource for health care organizations to measure themselves against. It has a 60 percent adoption rate within the industry.
“The NIST Cybersecurity Framework tells you what you should do. If we could develop guidelines, particularly for those smaller entities, that are tailored to the health care-specific area, I think that would go a long way,” said Rice.
According to Michael McNeil, global product security and services officer at Royal Philips, medical device manufacturers should be looped into conversations about security to ensure that it is incorporated into every stage of manufacturing.
“Medical device manufacturers must address cybersecurity throughout the product life cycle. One of the very first areas that a medical device manufacturer needs to maintain and be the mantra that they think about is patient safety,” said McNeil. “The earlier in the process that we can bring them to the table, the better it’s going to be for all of us.”