HIMSS 2022: Why cyberattacks pose such a threat to patient safety

Healthcare systems must see guarding against breeches as an essential part of keeping patients safe, a doctor and top cybersecurity expert explained at the HIMSS conference.

Orlando, Florida - Christian Dameff says he’d like to see more candid discussions about how cyberattacks threaten patient safety.

Dameff, an emergency physician and assistant professor of emergency medicine at the University of California San Diego, talked about the risks Monday at a session of the HIMSS Global Health Conference & Exhibition. Cyber attacks pose serious threats to healthcare systems and their ability to treat patients, he said.

If doctors can’t access electronic health records, for example, they won’t be able to determine if patients are allergic to certain medications.

Ideally, Dameff, who has studied cybersecurity extensively, said he’d like to have post-event reviews of the impact of cyber attacks on patient safety, similar to the way hospitals will review a patient’s death to go over treatments and identify areas for improvement.

A review of a cybersecurity breach poses thorny practical and legal questions, Dameff acknowledged. Nonetheless, institutions are losing out on the value of gaining lessons of a cyberattack’s impact on patients, including learning from mistakes, he said.

“I wish we would talk about our failures,” he said.

In the HIMSS annual cybersecurity survey released in January, roughly 1 in 5 healthcare systems officials reported disruptions of services that affected clinical care.

Federal authorities have warned healthcare organizations must be on high alert in the wake of Russia’s invasion of Ukraine.

In February, the U.S. Department of Health and Human Services issued an advisory reminding that electronic medical records could be vulnerable to hacking. If criminals gained access to medical records, they could conceivably get patients' names, Social Security numbers, photos, fingerprints and other private information.

Federal authorities this year also warned about the Lockbit cybergang which offers ransomware as a service. The authorities said the group typically doesn’t target hospitals but nonetheless warned that ransomware is a major threat to the healthcare industry.

Dameff said he’s concerned about the prospect of cyberattacks stemming from Russian’s invasion of Ukraine.

The American Hospital Association has said it’s concerned that Russian-backed cyber attackers may target hospitals and health systems directly. Hospitals could also become collateral damage if Russia launches cyberattacks aimed at Ukraine and subsequently  breach U.S. healthcare systems, even inadvertently.

Cyberattacks aimed at healthcare have gained more public attention recently. Hundreds of healthcare breaches were reported in 2021. Experts have projected 2022 could be worse.

As more hospitals are consolidated, there are greater risks of ripple effects from cyber attacks, Dameff said. If there’s a breach at one hospital in a healthcare system, “It’s not just one hospital going down, it’s five or six,” he said.

If a hospital has to delay procedures or postpone services due to a breach or ransomware, patients could end up going to other hospitals, Dameff said. In a short amount of time, a ransomware attack at one hospital could cause regional disruptions, he said.

Sam Fawaz, a solutions architect at Veeam, a software firm, participated on the panel and said healthcare organizations must make protecting their networks the highest priority. As threats continue to grow, healthcare systems need to evolve.

Fawaz also talked about the need to make network security safeguards as easy as possible for healthcare professionals to use.

“Tech is not the focus of most medical practitioners,” he said.

Dameff said he’s worried cybergangs, some of which say they don’t intend to target healthcare systems, may eventually change their minds. If some cybergangs decide to attack hospitals, they could do a lot of damage, he said.

“We’re just not where we need to be from an infrastructure security standpoint,” he said.