Featured topic and speakers
After the Change Healthcare cyberattack earlier this year, cybersecurity has become a central concern for physicians and patients alike. Watch this AMA Advocacy Insights webinar to learn about how to implement appropriate cybersecurity measures to protect your practice as well as your patients against the cybersecurity challenges of today. Also hear about advocacy that is underway to strengthen cybersecurity systems and provide support to physician practices for enhancing their cyber hygiene.
Moderator
- Michael Suk, MD, JD, MPH, MBA, chair, AMA Board of Trustees
Speakers
- Christian Dameff, MD, Department of Emergency Medicine, School of Medicine, University of California, San Diego
- Greg Garcia, executive director for cybersecurity, Health Sector Coordinating Council
Transcript
Dr. Suk: Hello and thank you for joining us today for our latest AMA Advocacy Insights webinar series. I'm Dr. Michael Suk, board chair of the American Medical Association, and an orthopedic trauma surgeon and chief physician officer of the Geisinger Health System in Northeastern and Central Pennsylvania.
It's my pleasure to be your host for this important discussion on cybersecurity. We will cover the steps we need to take to reduce our digital vulnerabilities and protect our practices and our patients from data breaches, ransomware attacks, phishing scams and other types of cybercrimes that are constantly evolving threat to our security.
The AMA views cybersecurity as a patient safety issue first and foremost, and we urge physician practices to prioritize the safeguarding of protected health information. Cyber criminals continue to focus on the health care sector for a multitude of reasons. The shift from paper documents to electronic health records continues to put an immense amount of information in digital form, not just names and addresses, but medical records, financial information, Social Security numbers and much more.
The enormous number of entry points required to effectively share electronic health information along with the growing network of connected medical devices create more opportunities for cyber attack. Physicians and the health care team members working in different locations only quick access to patient data. And those needs pose additional threats.
Cybercrime in the health care comes from—health care sector comes with devastating consequences, as we witnessed in the ransomware attack on Change Healthcare earlier this year. That attack offers us a case study of the devastating impact felt by patients, physicians, hospitals, pharmacies, labs and countless other health care professionals and entities nationwide.
The AMA is working to advance solutions that greatly improve health care security's cybersecurity posture as a critical infrastructure sector, with a particular focus on providing guidance, education and resources to help physician practices, especially small and independent practices, implement cybersecurity best practices. Establishing effective cybersecurity and a high degree of resiliency demands a team effort that creates a shared culture of security awareness.
Today's webinar is just one example of the multiple resources the AMA offers to help physicians protect both patient data and their own internal practice information. These are just a few of the considerations we'll be examining today, along with practical solutions and strategies that physicians and health care organizations can implement to protect their systems and data.
Joining me today are two experts in the field of health care security. Dr. Christian Dameff is an emergency physician and assistant professor of emergency medical services at the University of California in San Diego, where he also serves as codirector of the UCSD's Center for Health Care Cybersecurity.
Dr. Dameff is also an accomplished health care security researcher who has spoken at many of the world's most prominent hacker forums. His work in this field has drawn the attention of news outlets such as The Washington Post and ABC Nightline. And he's a cofounder of the CyberMed Summit, which focuses on medical device and health care infrastructure, cybersecurity.
We're also honored to have Greg Garcia with us. He serves as the executive director of the Health Care and Public Health Sector Coordinating Council Cybersecurity Working Group in Washington, DC. Greg received a presidential appointment as the first ever assistant secretary for cybersecurity and communications at the Department of Homeland Security from 2006 to 2009, where he led the National Cybersecurity Division as well as the National Communications System.
In that role and later at the Bank of America, Greg developed policy and strategies to secure government agencies and the financial system against cyberattacks and other threats.
I want to ensure you that we have enough time to discuss these vitally important issues and answer your questions. So let's go ahead and get started. Dr. Dameff, I have a quick question for you. So let's start with you. How would you characterize the current state of cybersecurity in physician practices?
Dr. Dameff: Well, thank you for this opportunity. And thank you for the question. Two things. One is that cybersecurity for the longest time has been an issue of patient privacy. The predominant focus is on HIPAA, data security and making sure you don't get hit with the HIPAA hammer. So a lot of the last 10-plus years of health care cybersecurity insofar as clinicians are concerned is just making sure that data records are secure.
The other thing I would mention is that has now changed. It's no longer just the paradigm that we should focus on health records. Because of the increased consolidation of health care, the digitization that you mentioned, and the near-total technology dependence that we have as clinicians on these systems to deliver safe and effective patient care, now we have this terrifying, not future, not dystopian possibility, but reality that these types of attacks truly impact our ability to care for patients, especially critically ill patients, in a timely and safe manner.
So think about things like the electronic health record, the ability to quickly order medications, view important health information, or to page, for instance, incredibly time-sensitive consults. All are predicated on these types of technologies. So now, as the AMA recognizes and others appreciate, is a patient safety issue now.
This is a problem that will only be continuing to expand. And as clinicians, we should recognize that the old days of IT being an IT problem, something you pick up the phone and call someone to help you restart your password and that it ends in IT and is no longer our partial responsibility goes away in this era of health care, patient safety, cybersecurity concerns.
And what I would encourage us to look forward to as clinicians is, how do we develop better strategies, downtime procedures and safe clinical care in an era where our vital technology may be gone, not just for an hour or two, but is in the case with these ransomware attacks, sometimes weeks to months? And that is a terrifying concern and one that we really need to help lead other folks in. If we lead this—leave this only to the IT folks who don't understand what it's like to take care of a septic shock patient, for instance, we're going to have some bad results.
Dr. Suk: Thank you, Christian. Appreciate that. Greg, I'm going to turn to you and maybe pivot off of the cybersecurity equals patient safety, cybersafety equals patient safety comment and then ask you to comment too, is what's your perception—or what's your sense of the current perception of health care cybersecurity among policymakers in DC, especially after the huge impact that the Change Healthcare cyberattack has had on our community? So maybe a little bit of a double question there to lead in with the cybersafety and patient safety question.
Garcia: Yeah, well, that is the existential truth, the existential threat. And Dr. Dameff really outlined that well. And in fact, he had done a paper recently, late last year, about the downstream effects of cyberattacks on one health care institution cascading to others in a given region because of diverted ambulances and care delayed or disrupted.
So that's a very palpable and clear connection between cyber incidents, cyber threats and patient safety. So that, in fact, is the organizing principle around the Health Care Sector Coordinating Council.
And a quick word about that. We are a cross sector health care industry organization. By cross sector, I mean, it's the health providers. It's the medical technology companies, the pharmaceutical manufacturers, the payers, the health IT companies, public health working together to identify and mitigate systemic threats to the health care system like cyberattacks and to do that identification and mitigation with the government as a public private partnership.
And in doing that, what we're trying to do is develop a range of best practices, leading practices, recommendations like how do we deal with this? Not just how do the chief information security officers in your organizations, not just the IT people, how do they deal with it, but how do the clinicians deal with it?
We, in fact, have a video training series called Cybersecurity for the Clinician. I can put the link in the chat, but it's everybody's responsibility. Cybersecurity is everybody's responsibility, including frontline clinicians. Because you're touching data. You're touching technology. You're touching patients. And all of those things combine to present some vulnerabilities in the digital world, as Dr. Dameff described.
And so this existential threat that we're facing is something that is, to your question, is very well recognized by our policymakers. So we have any number of members of Congress in the House and the Senate and congressional committees introducing new bills, trying to do something about this and adding more regulation to the quiver of arrows in the HHS arsenal.
We have the White House that has named health care along with, I think, the water sector and the K through 12 education sector as the three most vulnerable industry sectors in the country needing special attention. So Department of Health and Human Services has been working with us in the Sector Coordinating Council to think about what are those vulnerabilities in the health care sector that are most frequently, most successfully exploited or successful cyberattack that can ultimately affect patient safety, patient care.
And then what are the appropriate kinds of technical controls, policy controls, governance? What do organizations, what do health providers need to do to shore up their cybersecurity defenses?
So the government has come up with a set of goals. They call them the Cyber Performance Goals, the CPGs, which were initially presented as voluntary and they still are. And many of those controls are based on recommendations, best practices that the Sector Coordinating Council has published also on our website called the Health Industry Cyber Practices or HICP.
But we are expecting those to become mandatory at some point, even though we're four weeks away from an election. We were hearing that these proposed rules will come out fairly soon. And then we'll go through a public comment period. And presumably, they will become mandatory and permanent sometime next year, holding health providers more accountable, more responsible for the security of their data, their systems and ultimately their patients.
Dr. Suk: Greg, you mentioned the accountability and the mandatory natures of the things we need to do for cybersecurity. Can you give the physicians on the call some sense of the teeth behind that when you say something's mandatory, if you don't do it, then something's supposed to happen. Give us a glimpse of what that's supposed to look like.
Garcia: Yes. So all physicians, clinicians understand HIPAA. And HIPAA is generally known as privacy protection. But there is also the HIPAA Security Rule, and it has very specific requirements. Maybe not so specific, but it is—here's what you need to do. We're not going to get down into the weeds as to how you're going to do it, but you need to have certain controls in place. And you need to have training. And you need to have exercises and data controls.
And if you get hit by a cyberattack and a data breach, you can be held accountable to fines and to audits by the Office for Civil Rights. And that presents a cost. So if you're not doing the appropriate things and you get hit by a cyberattack, you will suffer regulatory jeopardy.
Now there was a bill that was passed in 2021. And it gave a positive incentive for the health providers, for the hospitals, clinics, et cetera to invest in some of these basic controls as a quid pro quo for perhaps being treated more leniently if and when you do get hacked.
In other words, if you've got a data breach and you can show to HHS that you have over the past year implemented, generally recognized cybersecurity controls, such as the NIST Cybersecurity Framework, the Health Industry Cyber Practices or HICP that we produced, if you can show that you have done your best, you did the right thing and you still got hit, HHS is directed to essentially take it easy on you, take that into account. And perhaps the fines will be reduced. The audit will be reduced. And that's a positive incentive.
In the president's budget, there will be—there was a proposal—and probably Congress is not going to—is going to appropriate the money for it. But they proposed, how about you give us $1.3 billion? The first 800 million of that will go toward the hospitals in most need, 2,000 or so rural health care organizations and others. Give them that money to invest in those cyber performance goals, sort of like the old, meaningful use approach.
And if after two to three years you can show that you have used that funding to invest appropriately in cyber performance goals, good for you. If they find that you have not used that money to invest in those cyber performance goals, you may very well suffer a reimbursement haircut, that CMS reimbursements will be reduced as a penalty.
So I don't know that that will become law, but that is the kind of thinking that's happening right now in the government. How do we balance the carrots and sticks? What incentives can we provide? But also know that if you don't take advantage of those incentives, you may suffer some penalty.
Dr. Suk: That's very helpful. And I think for our listeners and participants, it's, obviously, of great concern to put it on our radar, not only the public health and security risks we're talking about, but the fact that we all have individual accountability to that degree.
So, Chris, I'm going to turn to you. As a physician, we're pulled in a million different directions. And the last time I checked, we didn't go through cybersecurity class in medical school. And one of the challenges is, of course, is that now with additional requirements for us to know and understand what, practically speaking, can we do today to help us get more knowledgeable, start protecting our practices to get ready for some of these potential mandates?
And it dovetails into a question in the chat. And maybe I ask you to address both because they're very similar. And this is from a solo internist asking about practical steps. He has a small network of six computers, main computer housing the EMR and billing software databases. He's one particular vendor for ransomware. But that, for the layperson, sounds pretty good. Christian, what do you think? Is he doing enough? Or what more can he do?
Dr. Dameff: Yeah, that's a great question. In a lot of ways, we are not only being torn in all these different directions, but we have been asked to do impossible things with nothing. And it's not just cyber that are constraints. I mean, there are so many other parts in this.
As Greg mentioned, there are some frameworks out there, some resources that you can go to as a small clinic or a smaller practice and have these checklists essentially. Are you doing this and this and this? And that can be very helpful.
They are not often written in the language of a clinician, though. They're written for IT folks. And so I think a gap in this space and one that would be a tremendously great opportunity—or Greg, if you know of a solution that fills this gap—is more of a clinic owner-provided resource to address these more practical concerns at the smaller level—what do I actually do? And how do I know I've met these standards—for folks that don't have even a single IT person or only engage them infrequently as part of just setting things up and monitoring from afar.
But I will say this, there are things as a scientist—we all learn science as we prepared to study medicine. We understand the importance of evidence in order to make decisions, evidence-based medicine at the core of what we do. And I'll just say, as an academic and a person in this space, there's not a lot of data to support certain cybersecurity interventions and that you can do all of the great things that are recommended by a framework. But it does not necessarily mean that you won't be hacked, that you won't suffer a ransomware attack.
And so one of the things I think we can do as clinicians is to say, what is the evidence base behind some of these things that we have to do? And are we really getting the benefit, the best bang for our buck and really applying the scientific method to being effective in our controls?
I'll take training for an example. It seems intuitive at its face that if you train your work staff, your clinicians, your nurses, your MAs, the folks in the hospital to avoid cyberattacks like phishing, for instance, that they would be more resilient, that they would be less likely to be hacked. But we don't have that evidence base.
In fact, there's a growing evidence base that says that train doesn't work. And so one of the things I would encourage us as clinicians is to take our traditions and our knowledge of the scientific method. And now that cyber is very real to all of us—practicing clinicians know nothing about cyber. How can we help inform the next generation of cybersecurity recommendations to be evidence based, to be practically implemented, and to understand not only the constraints in the IT world, but the constraints in the clinical arena?
Multifactor authentication is a common control that is cited to be great at preventing ransomware attacks, and I truly believe it is. But I can't point to studies that say it does. However, we can't put multifactor authentication on defibrillators. We cannot put multifactor authentication on many of the things medical devices that are connected and are required for rapid care of patients.
Without clinicians being a voice in that, we will not be able to bolt on all of the controls from finance into health care, expect the same results, and at the end of the day, have our patients actually benefit from it.
Dr. Suk: Yeah, I think you hit it up on the head. I think most clinicians—clinicians are used to the scientific method, but it all still seems very foreign to all of us. One of the questions in the chat relates to a story I'll just briefly share that I have a colleague who is preretirement. As we were going through all this IT innovation and technology change over the last five years, one day, I caught him looking outside and looking in the sky. And he asked me, where is this cloud thing, anyway?
I only share that with you because it may, for whatever reason, highlight the fact that we're pretty behind on the technological curve from our training, particularly those—
Garcia: Well, I was involved in cybersecurity when if you said hacking, people just thought you had a bad cough.
Dr. Suk: Right. And so I think that—and Greg, I'm going to turn to you for this. And maybe it alludes to some of the video training that we have, which is now available on the Ed Hub. You had mentioned the Coordinating Council and some of its training videos.
But in the question chat, there's a very specific question. It is, give me—if you just tell us what to do, we'll do it. As practically speaking as a firewall, what type? How often do I need to change my passwords? What kind of recommendations do you have on where to store these records and things like that?
This is the type of granularity that I think our clinicians and physicians are looking for. I don't know if that type of level of information is available because I think—
Garcia: Well—
Dr. Suk:—reflecting on my colleague who's looking for the cloud, that's where some of us currently are. So, Greg, what are your thoughts on that? Can we get to that granularity?
Garcia: Well, I would say, first, do go to the video training series because that is at a level of responsibility that is commensurate with your roles as physicians. And by the way, Christian was asking me to suggest some resources. Being modest as he was, he is the star of that video training series.
He is the on-camera talent because he knows both sides of it, from the computer side to the clinical side. Yeah, Hollywood is calling Christian. So I hope you take the call.
But it's a really good series. It's simply eight videos, each about six minutes apiece going through different chapters, different topic areas. Good for one CME. It's just an easy thing to go through.
But I would say, just tell me what to do. I would leave that to your security people. I mean, if you're a small practice and you don't have a security person—but let's start with if you do. We have those resources like the HICP, the Health Industry Cyber Practices. What do we do about email security? Or what do we do about securing our medical devices?
Well, you have security professionals. That's their job. And part of their job is also employee training and other things that involve your work, clinical engineering. They'll tell you what to do according to the policy. And they in turn are asking the government, just tell us what to do. don't make it vague. If you're going to regulate us, regulate us. It's going to cost us something. But take the ambiguity out of it, and then we will do it.
But some of the most basic things, I think—and I think Dr. Dameff will attest to this. One of the most successful way that hackers get in and disrupt systems and steal data is through email, email phishing. And it's only going to get better because of artificial intelligence. No longer are you going to have typos in that email written by that hacking group in Nigeria or in China. It's going to be perfect looking.
And so that is a way simply to trick the users, the receivers of the email to click on that link, open that attachment. And we all just need to have a greater level of awareness and suspicion and paranoia to stop ourselves. Just double check that web address that they give you. Don't click on it. Go to the web and see if it's real.
There's a lot of ways you can simply double check things to be sure you're not doing the wrong thing. That's the biggest start. And then from there, you start talking about different types of tools like firewalls and antivirus to things you have to use.
But it's good to get professional help for that's specific to your environment. Small practice, what are the most basic things you need based on what you have?
Dr. Suk: But it sounds like you're advocating for a new industry of people who can help. So I'm sure that we have a new generation of people whose entire jobs will be to help small practices try to get.
Garcia: That's right. There are those. Absolutely.
Dr. Suk: Yeah. And Christian, I think one thing that people may or may not is you used to be a hacker yourself. And I'm sure that gives you some very specific kind of awareness, and obviously, was one of the motivators for you to do what you're doing now. Maybe talk a little bit about that experience and turn that into some advice, perhaps. How do we defend you from getting in?
Dr. Dameff: That's a great question. I'll actually say I still very proudly identify as a hacker, and I know that draws a lot of—it depends on the crowd I'm speaking to. But sometimes I actually hear audible gasps and folks calling with pitchforks and torches for my arrest.
I'd like to just really quickly say that hacking should not be a bad word. In fact, what makes a hacker hack and what motivates them and their skill set has very much an overlap of clinicians, of physicians.
And so what I'll say is that not all hackers hack and do bad things. Many hackers hack professionally. So there are security professionals and can help secure some of those small practices we've been talking about. Some of them are just very curious folks, and there are a subsection of them that are the malicious hackers that do things like ransom hospitals.
But what unifies them all, I would say, and what we share with hackers from the physician side of that is really creative problem solving. I'm an ER doc. So when I have to get a patient admitted and I know I'm going to call the hospitalist, who is great at being able to say, will you call this service or that, we think creatively in the space of how to solve clinical problems. Hackers do the same thing.
That's all that really is. There's a system. It was designed to do this. And hackers can think about ways to get a system to do something different than what it was intended through an often creative process. So please, if you take one of the things you take away from this webinar is just say not all hackers are bad. And you should listen to hackers.
Because the second point of your question, that insight and that knowledge that I had growing up in the hacker space—which I still go to hacker conferences every single year, I still encourage folks to do so they'll learn quite a bit—is because unless you have that adversarial mindset, your defenses will suffer. If you can't think about how someone devious might invade your practice and steal your patient records, then you don't know where to make those investments or how to really go about it.
And you don't have to get very technical about it. The thing that Greg mentioned, which is probably—we don't know. Again, the data on this is not published. The most common vector is probably exploiting people. It's not exploiting technology. It's tricking people into giving over their passwords and their usernames. And really, that doesn't require any type of hacking knowledge. This requires a persuasive, well-written email.
So at the end of the day, what I would say is that my hacker background allowed me to have that adversarial mindset and identify not only weaknesses in small practices or hospitals, but really at a national security level. I know this isn't the conversation that many folks thought we would go in, and I'm not sure how much we'll dive into this.
But health care is critical infrastructure. And ransomware gangs are financially motivated for the most part, but there's only so many hospitals. There's only so many networks. And we're consolidating all of those into common technology platforms where we're putting all of our electronic health records on the cloud.
These types of things pose national security concerns. And us, as clinicians, need to recognize that we are no longer in our own cyber boat, that the regional effects of things like ransomware attacks, the shared vulnerability of software that many, many practices use across this country really put us in this era of securing national infrastructure and that adversaries that look to do ill will on the United States are definitely looking on how they could disrupt those health care systems.
So I would say I'm not alone. There are other folks in this space, Many people on this call that identify themselves as hackers. Use that power for good, help educate your fellow physicians. And at the end of the day, we need a little bit more of hackers in this space. We'll all benefit from it.
Dr. Suk: Yeah. No, that's great. That's great information. And there's a question in the chat, and maybe I'll toss this to Greg or to either of you. I'm not really sure how to ask it or whether it's going to make sense. But there are any lessons from natural disasters or COVID-19 pandemic that can be applied to addressing cybersecurity and cyberthreats? It's a little bit out of left field, but I'm here to do that. I'm here to do that to both of you.
Garcia: Take a shot at it, Christian.
Dr. Dameff: Yes, absolutely. So I think Greg would agree, and there is a growing body of literature that disaster medicine has many of the tools available to address these types of attacks, specifically ransomware. And we should think of these things like disasters.
Now, I'm sure, Greg—and please, if you differ or you have any additional thoughts, let me know. But there are differences in cyberattacks. It's a hurricane. You have some prediction, forms. You can see the path that it may be traveling can change, of course. But you have some type of forewarning.
Cyberattacks can strike anywhere, any hospital, any time. And the only prerequisite—no geographic predilection. The only prerequisite is that it's connected to the internet, which now every hospital is. And so that's just one of dozens of ways in which cyberattacks, like ransomware, are unique disasters where we have a very immature literature base.
Now we can adapt some of the knowledge from the field of disaster medicine in these, but we also have to recognize where they're different. And that's an opportunity for us to grow as physicians and contribute to more literature, to study how best to respond to these attacks.
The field is wide open. And I would encourage anyone who's interested in that to throw your hat in the ring and help all of us because we can't do this alone. And the cyber experience and defenses of one hospital may greatly differ than others.
So unless we all work together and recognize we're all, again, in this boat analogy, in the same cyber boat, we're going to fail. I'll also post—
Garcia: Yeah, and I think—
Dr. Dameff: Also post a couple links to some papers about this specific thing, if anyone is interested in the chat.
Garcia: I think one thing that the pandemic, and frankly, any major national event that can cause public concern, public panic, those are opportunities for hackers to attract attention, to deceive the public through, again, email phishing or other fraudulent attacks like that.
We saw a large uptick in the number of fraud attempts—new vaccine discovered, get yours first, click here. And people would click on that. And that wasn't a vaccine. That was a phishing attempt. And so when you can prey on people's emotions through email, through the internet because of these national widespread issues of concern or public health and safety, people are going to fall for it.
So know that when these big events happen, there will be more attempts to exploit those events and appeal to people's emotions to do the wrong thing and click on these links and these attachments to either satisfy their curiosity or to get the help that they think—to get the help that they need. So that affects everyone—clinicians, patients, the public at large.
Dr. Suk: Yeah, thanks for that additional information. It's very sobering. But Christian, let me ask you a question. Out of the chat, there's a question, "Is there a particular specialty within medicine that seems to be more vulnerable to hacking?"
Dr. Dameff: It's a good question. Not that we have data to support. A lot of what data we have out there is focused on the inpatient and more urgent emergent space. So I put a couple of papers in discussing emergency department care, acute stroke care.
And the traditional thoughts of this are where minutes matter—septic shock, trauma—where that digital infrastructure is not there, is there an impact to patient safety and outcomes? But I also postulate that our outpatient providers are in an interesting position when it comes to this.
Because perhaps their patients aren't acutely dying. But these types of ransomware attacks where you'll cancel hundreds of appointments because you've been ransomed. You can't see these patients. Those will turn into emergencies, urgent patients that didn't get care.
Or if you're an obstetrician, for instance, and your hospital's been hit with ransomware and you have to cancel elective inductions, well, those elective inductions you cancel during ransomware turn into emergency sections 10 days later.
So these types of specialty-specific nuances are things that we are discovering but are very hard to measure. And I don't think there's one particular specialty that rises to the top. It's more what is your practice environment. Is it inpatient, outpatient? And then are you in one or more of these hyperacute types of responses that probably would have the most patient safety impacts?
Financially, different story. Again, we don't have a lot of data for this. We see anecdotally that it's the small practices. It's the small, rural, critical access hospitals that suffer such financial devastation from these attacks that they even close.
We saw this in the wake of Change. We've seen this in the wake of several ransomware attacks. Those types of practices are disproportionately financially impacted by this. And unfortunately, I think this is a trend we're going to see from Change that extends years.
The fallout that's going to happen is going to be immense and immeasurable. And in a lot of ways, we should really examine this from a national perspective of how many more Change Healthcares are out there, where we'll close more clinics, more practices and worsen health disparities and worsen health care deserts.
Dr. Suk: Yeah, thanks for that, Greg, let me switch gears here. This may be for both of you, but I'll start with you. Your health care practice gets broken into or attacked. And the attackers or hackers are asking for a ransom. Do we pay?
Garcia: That's every organization for itself. It is a determination you're going to have to make based on a lot of circumstances. I don't speak for the FBI at all, but they do not recommend that you pay a ransom.
We have the case of a cancer center recently that had hundreds of images of breast cancer patients stolen and would be returned with a $5 million ransom, which the organization refused. So the hacker group released those images. And now that clinic is subject to, I think, $60 million in damages from a class action lawsuit. So they traded 5 million for 60 million.
So every organization has to think about the various contingencies. And you're forced sometimes to make the choice, do we pay the ransom and continue to provide patient care? Or do we refuse to pay the ransom and face potentially loss of patient care, financial obligations from regulatory concerns from data breaches? So it's not an easy choice.
Dr. Suk: Yeah. Christian, you have any thoughts on that?
Dr. Dameff: I agree with Greg in a lot of ways. This is a complex problem. And I hate to joke around a little bit, but it's almost like talking about politics or religion about whether or not you should pay the ransom. It is a—you'll get so many different opinions.
You see, I would say, in the last year or so, there's been a trend from the government, some parts of the government not only to say don't pay the ransom, but there's efforts to criminalize paying ransoms. There's efforts to deincentivize them in any way possible because there's a lot of thoughts that they continue to fuel ransoms.
So why are malicious hackers attacking health care, ransoming them? It's because they get paid to do it. And the idea is that if there isn't a market, if people aren't paying ransoms, then ransomware operators will move to something else that makes them money.
And so it's almost a chicken or the egg problem. But if you're a small practice or you're a hospital that is the only critical access hospital within hundreds of miles and you are posed with this very difficult decision, well, you don't necessarily—you're not necessarily responsible for the entire world's ransomware problem. And you're caring for your patients. And for me, it's a hard, hard problem.
I will say, there are other some creative ways to approach this problem I don't think we've yet explored fully. One of the reasons that is mentioned paying ransoms is embarrassing or concerning release of information, there was that breast cancer example.
There was also in Europe a psychiatry practice was ransomed. And there were very sensitive clinical notes that were being threatened to be released. And they contacted the patients and said, hey, call your clinic and tell them to pay the ransom. Otherwise, we're going to release all your psychiatric notes to the public.
So there are growing examples of this. But how can we take the danger out of a ransomware attack to deincentivize folks from paying it, I think, is an interesting question. And one of the things we can do—not really in this case I just mentioned with data.
But if we can limit the impact that ransomware has on patient care, for instance, can we still effectively take care of trauma, stroke and sepsis patients, despite being ransomed, then the incentive to pay the ransom is lessened. The market over the long-term will potentially decrease. And ransomware operators will ransom health care less and less.
This is not a problem we are going to solve overnight. In fact, the other important thing I want your audience to take away from this webinar is if you think cyber is a problem we will solve, you're mistaken. Cyber is not a—we're going to fix it and we're going to talk about in 30 years how remember when cybersecurity was a thing, there is no magic bullet.
This will continue forever. And as long as there are errors in code which will be forever or ways to use systems in an unintended way, we will always have cybersecurity concerns. This is something we have to live with now and mitigate the impacts, not something that we're going to be able to solve.
Dr. Suk: Well, thanks for that. Some more sobering information. Let me ask a question out of the Q&A. "Besides perfect looking phishing emails, what risk does AI pose for cyberattacks?" And we know that it can generate good looking emails that we can click. And then here's the question I'm not sure what the answer is. Can viruses be transported to EMRs? Like via tools like cut and paste. Is that a practical thing? Can you cut and paste—
Garcia: Great question.
Dr. Dameff: I'll address the first question. AI, we haven't even begun to understand how it would really impact cybersecurity. I admittedly am not an AI expert. The common things, Jeff—sorry, that Greg mentioned are things like proving the linguistic accuracy of things like phishing emails. Phishing is a huge threat. AI can supercharge those types of things.
I'm going to post in the chat a link to one of my favorite papers, which was a group of security researchers—so these aren't malicious hackers—that were able to manipulate CT images. They were able to take a CT image, a chest CT. And they built an AI program that was able to inject a concerning looking nodule into the actual DICOM file.
So the AI injected a fake nodule into the CT scan. They took that CT scan, showed it to board-certified radiologists. And the radiologist read it almost all the time as this is a concerning nodule, even though it did not exist.
They conversely did the same thing. They took CT scans from patients who had concerning nodules. Their AI program was able to remove those nodules. They showed those images to radiologists, and they didn't detect any abnormalities.
What am I trying to get at here? When we think about privacy of health data, we think about confidentiality. When we think about ransomware, we think about the availability of critical medical resources. But there's a third part of cybersecurity, which is data integrity. Changing, manipulating, deleting data is something we have traditionally not experienced in health care, which has terrifying consequences. This paper I mentioned is talking about manipulating the data that we use as physicians to make very important decisions.
That is, I think, something that was so hard to accomplish from a regular adversary that they didn't really pursue it. AI reduces that barrier and allows adversaries to explore this third terrifying part of cybersecurity, which is, what if I delete your allergies and your electronic health record? Or what if I manipulate your chest X-ray? Or what if I change your lab values?
So it looks like you're in diabetic ketoacidosis when you're not. And some clinician gives—some provider, some physician gives you insulin when you don't need it. That is what I think AI is going to unlock for adversaries in this space is to reduce the amount of effort it takes to execute very sophisticated attacks that we have not yet even seen in the wild because they were too hard to accomplish.
Dr. Suk: Yeah, it's amazing. Greg, any thoughts on that?
Garcia: No, I don't think so. Christian's right. AI will be—can be used maliciously in a number of ways and including defeating or circumventing or deceiving cybersecurity controls within an environment. And then we think, well, if AI can do that on the offensive side, can we deploy AI on the defensive side?
So then it becomes AI versus AI. That's interesting. Now we're in this dystopian world of The Matrix or The Terminator, machine versus machine. And I don't discount, that's a very strong possibility that the defenders will be using AI to defend and the adversaries will be using AI to attack.
And as for cutting and pasting viruses and other things, I don't know. That's a technical question. The HHS Office for Health Care Cybersecurity Coordination, HC3, just did a webinar on so-called Living Off the Land Attacks.
I'm sure Christian can go into more detail about that, but it's really using resources that are already in environment apps, various apps or services within a connected environment almost to use them in sort of a autoimmune disease kind of an attack using resources within a network against itself.
But I don't quite know how that's done. I didn't attend that webinar, but it's something you might want to look into. HC3, Living Off the Land Attack. If you want to—it's a recorded—they've recorded it. It looks kind of interesting, maybe a little bit technical, but that might address the person's question.
Dr. Suk: Well, thanks, guys. Let me just switch to the now infamous and going to be historically famous Change cyberattack. Do we have any information as to how it happened? What was their vulnerability? And was it a phishing attack? Do we know? Or has that been released? That's for either of you.
Garcia: I think the most commonly cited reason was that they did not use multifactor authentication. So therefore, you had compromised, easily compromised credentials to get into the system. And I don't know all the details about what was done once they got in there.
But again, it does come down sometimes to some fairly basic cyber hygiene disciplines that—cyber hygiene disciplines that are not in place and then that are easily exploited. The hackers can often take the path of least resistance, and that's often in just some of the most basic blocking and tackling techniques to protect yourself. So that is what was exploited.
And Christian said that we will continue to be plagued by coding errors. And while it was not a cyberattack, those were familiar with what happened with the CrowdStrike event, that was just a very basic human error in either coding or in transmitting a patch. And a lot of systems went dark.
Dr. Suk: Yeah. Someone tongue in cheek, I think, is putting in the QA. So a call to go back to paper records, but just wanted to call that out. But let me—as we wind down our time, I have just a couple more questions for you.
Christian, thanks for all your work in this world. And I know you head up the UCSD Center. Tell us what's on the horizon for the center for you guys. What are you guys looking at doing in the future?
Dr. Dameff: So thank you. The center recognized that there's a really big research gap in this space. I don't know if your audience will believe it, but there's not a single peer-reviewed publication about patient outcomes at a hospital that's been ransomed.
And despite how many tens of millions, hundreds of millions of dollars lost on this decade-plus now almost of health care ransomware attacks, there's not a single patient outcome-focused publication in the literature. Why? Has a lot to do with lawyers, I think.
But in some sense, now, we're so dependent on the health care, not only to deliver it, but also to measure it. So how do I know your sepsis measures, for instance? How quickly did you give antibiotics in septic shock? How did you give fluids and things?
Those are all recorded in the electronic health record. Those are often unavailable during the attack. So the ways that we measure quality and monitor patient safety are they themselves gone in these attacks.
So a lot of hospitals that get attacked just actually don't have this data. So it's very hard to study. The center is focused at how do we study this rigorously, how do we develop an evidence base, how do we offer recommendations that actually bend the arc and critically appraise these things? And how do we do this with a patient focused?
There's people working on the technical sides of cybersecurity. There's no one really working on the clinical side. So the center is the home for that, where we have an interdisciplinary group of folks that do that.
I'm going to say, the center's mission, in a small way, should be everyone's mission on this call. How do you build an interdisciplinary team where cybersecurity expertise should not fall also on the backs of physicians to know about and to execute on? You really have to build this bench of folks, build a community, draw upon everyone's expertise to make the best decision.
I will say, some tangible fruit out of the center coming out here is we plan to next year publish a guide for you all out there, an open-source free document that is, if you're a cardiologist, you turn to chapter 9 for cardiology. And it's going to talk about how ransomware attack is going to impact your patients in the cath lab. Chapter 12 is going to be for pediatrics. Chapter 14 is going to be for trauma surgery.
The idea is, how do we build clinically focused ransomware guides that aren't technical but are patient safety clinically focused? And then you can break that glass. If you, unfortunately, should ever be ransomed, you pull out this guide. And you know what's going to happen. And you can better prepare for those effects.
So it's one of the fruits coming out of the center that we hope you out there will adopt and read and that you can take that document and prepare for these types of attacks. Because I hate to be the bummer on this webinar. And I think I've done that several times. My apologies.
But I'm just going to blatantly say it. It's not if. It's when. The trajectory and the arc and the money involved in this means that you will suffer an attack like this probably during your career. And when you think about it like that, the preparation and effort you put ahead of time will pay dividends financially with patient safety, with the longevity of your career.
And with that sobering thought, the center is hoping to take the edge out of that with our work. And we appreciate anyone who wants to collaborate, do research, et cetera. We'd welcome you with open arms as part of the center.
Dr. Suk: That's great, Christian. Thank you so much. And Greg, I have a little lasting last maybe question that's going to ask you to prognosticate a little bit. So you alluded to a big change happening in about four weeks or so potentially. Where do you think cybersecurity and health care is going to rank in any new administration's agenda going forward?
Garcia: This town has a very short memory, short attention span. And they tend to be—policymakers tend to be very reactive. So frankly, all it is going to take is yet another Change Healthcare-like attack that disrupts 30% or more of the nation's health care system for the policymakers to sit up and take notes and try to come up with solutions.
But on top of that, I think the daily news—I mean, we are—I think HHS is reporting that we are now seeing an average of two data breaches, ransomware attacks per day, exposing 150 million patient records and causing tens of millions, hundreds of millions of dollars in cost from recovery and ransoms and everything else.
And the fact is, we are all patients. Up to the president of the United States and every member of the Congress is a patient. And nobody wants to be that person who is being transported by ambulance to the hospital only to be diverted 10 miles down the road to a hospital that has not been sent offline.
So again, a very existential, very palpable understanding that cybersafety is patient safety and cyber insecurity is patient insecurity. So I think it's going to stay on—I think it's going to stay high on the front burner.
And the Sector Coordinating Council, as an advisory council to the government and to ourselves, will make very well sure that it's going to stay on the front burner, not necessarily as a regulatory issue, but as a partnership issue, as a combination of voluntary and mandatory and ways that we can be resilient, as resilient as the adversaries are and the threats are. So we have to constantly be on our toes.
Dr. Suk: Greg, Christian, you guys have been wonderful guests today. I want to thank you and our audience for their questions. Two distinguished panelists who bring a tremendous amount of insight and history and knowledge about the world of cybersecurity.
As a physicians' powerful ally, the AMA stands ready to help physicians and their practices achieve the highest possible level of preparedness, prevention and incident response so you can focus more on effective patient care.
If you've enjoyed today's webinar, I encourage you to search the AMA's website for past Advocacy Insights webinars on a variety of important topics affecting physicians and patients. Just use AMA Advocacy Insights webinar in the Search function.
Thank you both. And thank you audience, for your time today.
Garcia: Thank you, everybody and thanks to AMA. Good member.
Dr. Dameff: Thank you very much.
Disclaimer: The viewpoints expressed in this video are those of the participants and/or do not necessarily reflect the views and policies of the AMA.
