The Change Healthcare cyberattack earlier this year exposed the risks of IT concentration and centralization within the computer networks that the U.S. health system so heavily depends on
It also served as a wakeup call to health care organizations that strong cybersecurity defenses are essential to their operations’ well-being.
Cybersecurity of health data has evolved from a patient privacy issue to a patient-safety concern. And now that the federal government has deemed that health care is be part of the country’s critical infrastructure—similar to water, energy, transportation and telecommunications—health care cybersecurity is developing into a national security priority as well.
“The Change Healthcare attack offers a case study of the acute impact on patients, physicians, hospitals, pharmacies, labs and countless additional health care professionals,” AMA Executive Vice President and CEO James L. Madara, MD, wrote in a letter (PDF) to Jen Easterly, director of the U.S. Department for Homeland Security’s Cybersecurity and Infrastructure Security Agency.
The letter also states that cybersecurity must be a national priority for the following reasons:
- Cybersecurity is a patient-safety issue.
- Cyberattacks are inevitable and increasing.
- Physicians are interested in receiving tools and resources to assist them in cybersecurity efforts.
- The health care sector exchanges health information electronically more than ever before, putting the entire health care ecosystem at greater risk.
From AI implementation to EHR adoption and usability, the AMA is fighting to make technology work for physicians, ensuring that it is an asset to doctors—not a burden.
Cyberattacks are occurring daily
The U.S. Department of Health and Human Services (HHS) “is reporting that we are now seeing an average of two data breaches, ransomware attacks per day, exposing 150 million patient records and causing tens of millions, hundreds of millions of dollars in cost from recovery and ransoms and everything else,” said Greg Garcia, executive director of the Health Sector Coordinating Council cybersecurity working group in Washington.
Under the coordination of Cybersecurity and Infrastructure Security Agency, a branch of the U.S. Department of Homeland Security, the council’s mission is “to identify cyber and physical risks to the security and resiliency of the sector, develop guidance for mitigating those risks, and work with the government to facilitate threat preparedness and incident response,” its website says.
“We have to constantly be on our toes,” Garcia said during an AMA Insight Network webinar (available for free with registration) discussing how to protect patients and physician practices from cybersecurity threats.
The webinar was moderated by AMA Board of Trustees Chair Michael Suk, MD, JD, MPH, MBA, an orthopaedic surgeon and chair of the Musculoskeletal Institute at the Geisinger integrated health system in rural Pennsylvania. Geisinger is a member of the AMA Health System Program, which provides enterprise solutions to equip leadership, physicians and care teams with resources to help drive the future of medicine.
Members of the AMA Health System Program have access to the AMA Insight Network’s Quality, Safety and Equity community. This virtual forum provides an opportunity for like-minded leaders from across the country to hear more examples of how leading systems are finding innovative ways to address health care inequities in their communities.
Solutions may be elusive
Those looking for a “magic bullet” that will banish the threat of cyberattacks for good will be searching for a long time, according to panelist Christian Dameff, MD, an emergency physician and assistant professor of emergency medical services at the University of California in San Diego.
“If you think cyber is a problem we will solve, you're mistaken,” Dr. Dameff said.
“We will always have cybersecurity concerns,” he added. “This is something we have to live with now and mitigate the impacts—not something that we're going to be able to solve.”
With proper mitigation, however, organizations can limit the impact that cyberattacks have on patient care. The result will be that the incentive to pay a ransom to regain control of computers will be lessened and cyberthieves and ransomware operators will focus less on health care, Dr. Dameff said.
Garcia noted that Dr. Dameff was the coauthor of a JAMA Network Open study examining how two San Diego hospitals had significant jumps in emergency department volumes and ambulance arrivals after four San Diego County hospitals belonging to a different health system were shut down by a ransomware attack.
“That's a very palpable and clear connection between cyber incidents, cyber threats, and patient safety,” Garcia explained.
Fighting for Physicians
Get updates on how the AMA is fighting for physicians on critical issues—delivered to your inbox.
“Cybersecurity is everybody's responsibility, including front-line clinicians because you're touching data, you're touching technology, you're touching patients,” he added. “All of those things combined present some vulnerabilities in the digital world.”
Garcia also warned that the health care community could be looking at more federal cybersecurity requirements in the future.
“We're not going to get down into the weeds as to how they’re going to do it, but you’ll need to have certain controls in place,” he said.
“If you've got a data breach and you can show to HHS that you have, over the past year, implemented generally recognized cybersecurity controls … if you can show that you have done your best, you did the right thing and you still got hit, HHS is directed to essentially take it easy on you,” Garcia added.
Learn more about cybersecurity
The AMA offers cybersecurity resources geared for physicians, including a checklist to help protect computers used in medical practices.
There is also “Cybersecurity in Medical Practice,” an eight-episode AMA Ed Hub™ course of enduring material designated by the AMA for a maximum of 2 AMA PRA Category 1 Credit™.
The course details how cyberattacks occur, their impact and consequences, and practical steps to protect against them.
AMA Ed Hub is an online learning platform that brings together high-quality CME, maintenance of certification, and educational content from trusted sources all in one place—with automated credit tracking and reporting for some states and specialty boards.
Learn about AMA CME accreditation.
