Michael Chertoff shared his concerns surrounding patient data and hospital operations at South by Southwest.
During his time as secretary of the US Department of Homeland Security, Michael Chertoff became familiar with the dangers facing the country. Increasingly, that threat list has grown to include various forms of cyberattacks, and in few other areas can they cause more harm than in healthcare.
Chertoff singled out 4 types of cyberattacks that are most concerning to him during South by Southwest in Austin, Texas. Hackers have already employed some of these tactics and hit some of these targets. In other cases, white-hat investigators have exposed glaring vulnerabilities. But the common thread in all of these scenarios is that they would burn healthcare especially hard, making the security expert’s list a call to action for hospitals and health systems everywhere.
The first concern on Chertoff’s list is the exposure of patient data. Criminal hackers may steal protected health information for the sake of embarrassing patients, he said, but the threat extends further.
“Even the data that you generate and supply willingly can be misused or can be used in a way you haven’t thought about,” he said. Indeed, in some data breaches, healthcare organization employees have accessed patient data without proper authorization or for unsavory ends. Any number of high-tech start-ups have launched claiming to use tools like artificial intelligence to prevent such violations.
On the same note, Chertoff called for all healthcare stakeholders to consider how patient health data can be aggregated and used. How, for example, are health insurers storing data? And what other kinds of customer data might they like to get their hands on?
Second, the corruption of data could prove a major problem for healthcare. Criminals may alter electronic medical records or destroy them altogether, Chertoff said.
The third fear on his list gets at the heart of medicine. “We worry about the healthcare system itself being interfered with or shut down,” Chertoff said. That’s exactly what happened last year when the WannaCry ransomware virus battered the United Kingdom’s National Health Service, tearing through 81 hospitals and canceling thousands of medical appointments. An attack on Allscripts earlier this year caused chaos for 1500 provider clients of the electronic health records vendor.
Finally, describing perhaps the most dramatic but still very real threat, Chertoff sounded the alarm of a cyberattack interfering with a medical device embedded in a patient’s body. Although this has yet to occur, at least on a large scale, the factors that make this sort of hack possible came to light last year when a digital vulnerability forced a software update of Abbott pacemakers.
“As we get into the so-called Internet of Things, where everything is wireless and connected, the attack on something in your body … is going to become more of a concern,” Chertoff said.
Pacemaker Incident Provides Important Lessons for Future Device Security Updates
What Keeps Healthcare Cybersecurity Innovators Up at Night