We all worry about records disclosure, theft and extortion, and disruption of mission-critical services as the outcomes we'd like to avoid. As a veteran of public sector operations, my personal focus has been on those services owned and operated by state and local government, as well as other local-scale infrastructure we colloquially call the “Big Squishy Middle” (BSM). Briefly, those are the organizations that provide services that are critical to our economy, quality of life, and even life-safety - yet are not recognized by the established avenues of assistance that are being provided to the "critical sectors" (oddly and indefensibly defined as being primarily private-sector). Stated another way, the Department of Homeland Security considers Comcast, AT&T, et al. as the communication sector, and works with them extensively. 9-1-1 is the communication sector we care about, and type of infrastructure is what CI was established to address.
As the company has progressed and expanded into other markets, it's become clear just how vulnerable the intersection of health care and IT security really is. This is not about HIPAA - human services departments in local governments maintain plenty of health records and (in many cases) need to comply with the statute. The records are valuable and in demand by criminals. It's about continuity of operations, and what the potential impact of disruption would be - loss of life.
Call center operations have been shut down by telephone denial of service. An entire hospital system in the UK was shut down by ransomware - a problem that is only projected to escalate. And now medical devices have been shown to have been developed with the same (lack of) care as web-connected toys.
At a time when national health care is the subject of debate (a term I'm using quite loosely here) and regulations are being viewed at the federal level as something to get rid of, I think we’re setting ourselves up for quite a landmine.
Back to the BSM.
Just as local governments do not have the resources to compete for professional practitioners to secure, monitor, and respond to incidents in their operations, neither do regional hospitals, clinics, mid-market pharma and other medical research companies. That makes them exceedingly low-hanging fruit for Cyber criminals. The situation is exacerbated in parts of the country outside of the metropolises where there are no practitioners to speak of and a perception that those communities are just too small to be targeted.
Setting criminal intent aside – if a hacker wanted to cause terror, foment dissatisfaction with government, and get people into the streets, regional health entities are highly leverage-able. None of the ransomware activity has escaped the notice of our terrorist adversaries, and they will be looking for the simplest, most cost-effective way to create that terror.
I believe Critical Informatics is in the right business, with the right focus. I hope we have enough time.
Stay informed on all the threats and advances in healthcare cyber security by signing up for our Weekly Healthcare IT Security Blast.