AMA News Wire
On cybersecurity, physicians must always be on their toes
Nov 20, 2024
The Change Healthcare cyberattack earlier this year starkly revealed the vulnerabilities associated with the heavy concentration and centralization of IT systems within the critically important networks of the U.S. health care system. This incident underscored the urgent need for health care organizations to bolster their cybersecurity measures, as failure to do so could jeopardize not just their operations but also the safety and confidentiality of patient information.
Once primarily a matter of patient privacy, cybersecurity regarding health data has transformed into a crucial patient safety issue. The federal government has now classified health care as part of the nation’s critical infrastructure—alongside essential sectors like water, energy, transportation, and telecommunications—making health care cybersecurity an emerging national security priority as well.
“The Change Healthcare attack serves as a compelling case study illustrating the immediate and far-reaching effects on patients, physicians, hospitals, pharmacies, labs, and a multitude of other healthcare professionals,” stated AMA Executive Vice President and CEO James L. Madara, MD, in a detailed letter addressed to Jen Easterly, director of the U.S. Department for Homeland Security’s Cybersecurity and Infrastructure Security Agency. The letter further articulates why cybersecurity should be regarded as a national priority. It emphasizes that:
- Cybersecurity fundamentally impacts patient safety.
- Cyberattacks are both inevitable and on the rise.
- There is a pressing demand from physicians for tools and resources to aid them in their cybersecurity initiatives.
- The health care sector increasingly relies on electronic exchanges of health information, intensifying risks to the entire health care ecosystem.
The AMA is advocating for the adoption of technology that genuinely benefits physicians, emphasizing usability and reducing the burden on doctors, particularly in areas like AI implementation and electronic health record (EHR) systems.
Cyberattacks are occurring daily
The U.S. Department of Health and Human Services (HHS) reports an alarming trend, indicating that health care organizations are experiencing an average of two data breaches or ransomware attacks every single day. This relentless assault exposes approximately 150 million patient records and incurs costs that can reach into the hundreds of millions of dollars for recovery efforts, ransom payments, and other related expenses. “We must remain vigilant and prepared,” asserted Greg Garcia, executive director of the Health Sector Coordinating Council’s cybersecurity working group in Washington.
Operating under the auspices of the Cybersecurity and Infrastructure Security Agency—the branch of the U.S. Department of Homeland Security dedicated to this issue—the council’s mission focuses on identifying both cyber and physical vulnerabilities that threaten the security and resilience of the healthcare sector. Their efforts include developing strategic guidance for mitigating these risks and cooperating with government entities to enhance threat preparedness and incident response capabilities.
“We have to constantly be on our toes,” Garcia emphasized during an AMA Insight Network webinar, which is available for free with registration, that focused on safeguarding patients and physician practices from the escalating threats posed by cybercrime. The engaging discussion was moderated by AMA Board of Trustees Chair Michael Suk, MD, JD, MPH, MBA, who is not only an orthopaedic surgeon but also chairs the Musculoskeletal Institute at the Geisinger integrated health system, a notable entity in rural Pennsylvania. Notably, Geisinger is a participant in the AMA Health System Program, which equips healthcare leadership, physicians, and care teams with essential resources to effectively navigate the evolving landscape of medicine.
The AMA Health System Program members gain access to the AMA Insight Network’s Quality, Safety and Equity community, a dynamic virtual forum that fosters collaboration and innovation among leaders nationwide as they address health care disparities within their communities.
Solutions may be elusive
Experts caution that anyone seeking a “magic bullet” solution to permanently eradicate the threat of cyberattacks will be engaged in a futile pursuit. Christian Dameff, MD, an emergency physician and assistant professor at the University of California in San Diego, pointedly remarked, “If you believe that cybersecurity issues can be effectively solved, you are sorely mistaken.”
Dr. Dameff articulated that cybersecurity is a perpetual concern that healthcare organizations must reckon with, emphasizing the importance of mitigation strategies rather than looking for definitive solutions. “We must learn to coexist with these challenges and limit their impact on patient care,” he advised, noting that effective mitigation efforts could diminish the incentive for ransom payments, thereby potentially diverting the attention of cybercriminals from health care targets.
Garcia highlighted Dr. Dameff’s involvement in a significant JAMA Network Open study, which examined the surge in emergency department volumes and ambulance arrivals at two San Diego hospitals following a ransomware attack that forced the closure of four other hospitals belonging to a different health system. “This paints a very clear picture of the direct consequences that cyber incidents have on patient safety,” Garcia remarked.
“Cybersecurity is a collective responsibility—it encompasses front-line clinicians, as they interact with sensitive data, innovative technologies, and, ultimately, patients,” he affirmatively stated. This intersection of factors creates inherent vulnerabilities in an increasingly digital healthcare landscape.
Looking ahead, Garcia cautioned that the healthcare sector may face heightened federal cybersecurity requirements. “While we won’t delve into the specifics just yet, certain controls will soon become mandatory,” he noted.
“In the event of a data breach, organizations that can demonstrate to HHS that they have implemented generally recognized cybersecurity controls over the past year will be in a better position. If you can show that you made every effort to secure your systems and yet were still compromised, HHS is likely to take a more lenient stance,” Garcia added.
Learn more about cybersecurity
The AMA offers a variety of cybersecurity resources specifically designed for physicians. Among these is a practical checklist intended to safeguard computers utilized within medical practices. Additionally, the AMA has developed an insightful resource titled “Cybersecurity in Medical Practice,” which is an eight-episode course available through the AMA Ed Hub™. This course has been designated by the AMA for a maximum of 2 AMA PRA Category 1 Credit™.
The program elucidates how cyberattacks transpire, their subsequent effects and repercussions, as well as straightforward measures to protect against them. The AMA Ed Hub serves as a comprehensive online educational platform, aggregating high-quality continuing medical education (CME), maintenance of certification, and educational resources from trusted entities, complete with automated credit tracking and reporting for specific states and specialty boards.
### Interview with Dr. Christian Dameff on Cybersecurity in Healthcare
### Interview with Dr. Christian Dameff on Cybersecurity in Healthcare
**Interviewer**: Thank you for joining us today, Dr. Dameff. Given the recent surge in cyberattacks on healthcare institutions, can you elaborate on your perspective regarding the idea of finding a “magic bullet” solution to cybersecurity in healthcare?
**Dr. Dameff**: Thank you for having me. It’s important to understand that seeking a definitive solution to eradicate cybersecurity risks is not only unrealistic but quite dangerous. Cybersecurity in healthcare is a continuous battle, and organizations must adopt a mindset of mitigation rather than absolute solutions.
**Interviewer**: Can you explain what you mean by “mitigation strategies” and how they can help healthcare organizations?
**Dr. Dameff**: Absolutely. Mitigation strategies involve identifying vulnerabilities and addressing them proactively. This includes training staff, implementing robust security protocols, and being prepared to respond to incidents when they occur. By doing this, organizations can limit the potential harm these attacks could cause to patient care and safety.
**Interviewer**: You mentioned the impact of cyber incidents on patient safety. Can you give us an example of how these issues have manifested in real-world scenarios?
**Dr. Dameff**: Certainly. A recent study highlighted a ransomware attack that led to the forced closure of multiple hospitals, which resulted in a significant surge in emergency department visits at others. This clearly illustrates how cyber incidents can disrupt patient care continuity and overall safety.
**Interviewer**: Greg Garcia emphasized that cybersecurity is a collective responsibility. How can front-line clinicians play a role in enhancing cybersecurity measures?
**Dr. Dameff**: Front-line clinicians are at the intersection of technology and patient care. Their involvement is crucial because they often handle sensitive patient data and utilize innovative technologies. By being educated on cybersecurity best practices and recognizing potential threats, they can contribute significantly to the overall security posture of their organizations.
**Interviewer**: As we look to the future, what final thoughts do you have on the evolving landscape of healthcare cybersecurity?
**Dr. Dameff**: The landscape is indeed challenging and requires ongoing vigilance. It’s crucial for healthcare organizations to adapt continuously, adopting new technologies responsibly, and remain engaged in education and community learning around cybersecurity. The consequences of inaction can be dire, not just for operations but most importantly for patient safety.
**Interviewer**: Thank you, Dr. Dameff, for sharing your insights. It’s clear that proactive measures and awareness are essential in this ever-evolving digital landscape.