Without regulatory pressure to enforce a federal health care cybersecurity task force’s recommendations, involved experts acknowledge, industry progress will remain slow.
Special Report: Medical security
In the early hours of June 27, 2017, the destructive malware NotPetya struck businesses first in Ukraine and then across the globe. It took down international shipping conglomerates, power grids, financial institutions, and hospitals. But doctors at a New England health care organization that includes a Level 1 trauma facility didn’t know that.
All the doctors knew was that their system for recording patient diagnoses, filing notes, and filling lab requests—powered by voice and language software maker Nuance Communications—wasn’t working.
“In the first couple hours, we had several babies who were having cardiac ultrasounds in order to clear them for surgery,” says a technician at the New England organization, who requested anonymity out of fear of losing their job. “They were supposed to be transported to Boston for surgery. But the doctors couldn’t access the audio files or transcripts of their notes.”
Nuance, maker of the Dragon Medical dictation software in use by more than 500,000 clinicians, had been rendered inoperable by NotPetya. And because of the tight integration of modern medicine and computers, fueled by drives in the United States, the United Kingdom, and elsewhere to replace paper patient records with electronic health records, one system failure led to another. When doctors couldn’t use Nuance, they also couldn’t access their notes, nor file referral requests for their patients to be seen by other doctors.
“Nuance was unable to access the recordings because they were encrypted. Eventually, we sent them to a secondary company we contracted with,” the hospital technician explained, and the tiny patients at the hospital received approval to be transported to Boston. But while the organization debated whether to keep using Nuance or ditch the service for a different vendor (it restored Nuance service to clinicians in November), its transcription problem was left unresolved.
Welcome to the complicated world of medicine and cybersecurity, which is expected to exceed $65 billion as an industry in the next five years. Cybersecurity in modern medicine continues to deteriorate as systems degrade, newer unsecured systems and devices are added to networks, and hospitals and doctors struggle to stay ahead of risks that can lead to harm of the very patients who seek their help.
The Parallax this week is looking at modern medicine’s cybersecurity challenges. In our main story for this special report today, we examine the different cyberthreats health care organizations face, and why it’s been so hard for health care organizations, medical-device makers, service providers, regulators, and clinicians to keep patient interests at the heart of improving their cybersecurity. Graphic designer Pinguino Kolb and I also present an interactive timeline of ransomware attacks against hospitals and patient care clinics since 2016.
On Wednesday, contributing writer Kristin Burnham explores how to recover from a health care data breach.
On Thursday, contributing writer Rob Pegoraro details how vulnerabilities in Internet-connected medical devices can weaken a hospital’s network, and I interview Twila Brase, author of Big Brother in the Exam Room and founder of patient advocacy group Citizens Council for Health Freedom, who believes that electronic health records are hurting patients (and doctors) more than helping them.
Thursday night, The Parallax is co-hosting the first Context Conversations in San Francisco, where I’ll moderate an on-stage health care discussion between Sutter Health’s chief privacy and information security officer, Jacki Monson, and PTC’s chief security officer, Josh Corman. (You can watch the livestream of the event above.)
On Friday, Stephanie Domas, vice president of research and development at medical-device cybersecurity consultancy MedSec, explains in a column why she thinks that health care providers and insurers need a new billing code for medical-device software patches.
And is the U.S. government doing enough? Our Context Conversations event focused heavily on whether Health and Human Services is responding fast enough to a massive 2017 report on medical cybersecurity.
Thank you for reading, and thank you to Kristin, Rob, Stephanie, and Pinguino for contributing to our latest special report. We welcome direct feedback via social media. You can also reach me at email@example.com.
Editor, The Parallax