Top

Journal of Clinical Monitoring and Computing

Published in:

24-04-2023 | Reviews

The elephant in the room: cybersecurity in healthcare

Author: Anthony James Cartwright

Published in: Journal of Clinical Monitoring and Computing | Issue 5/2023

Abstract

Cybersecurity has seen an increasing frequency and impact of cyberattacks and exposure of Protected Health Information (PHI). The uptake of an Electronic Medical Record (EMR), the exponential adoption of Internet of Things (IoT) devices, and the impact of the COVID-19 pandemic has increased the threat surface presented for cyberattack by the healthcare sector. Within healthcare generally and, more specifically, within anaesthesia and Intensive Care, there has been an explosion in wired and wireless devices used daily in the care of almost every patient—the Internet of Medical Things (IoMT); ventilators, anaesthetic machines, infusion pumps, pacing devices, organ support and a plethora of monitoring modalities. All of these devices, once connected to a hospital network, present another opportunity for a malevolent party to access the hospital systems, either to gain PHI for financial, political or other gain or to attack the systems directly to cause erroneous monitoring, altered settings of any device and even to access the EMR via this IoMT window. This exponential increase in the IoMT and the increasing wireless connectivity of anaesthesia and ICU devices as well as implantable devices presents a real and present danger to patient safety. There has, at the same time, been a chronic underfunding of cybersecurity in healthcare. This lack of cybersecurity investment has left the sector exposed, and with the monetisation of PHI, the introduction of technically unsecure IoT devices for monitoring and direct patient care, the healthcare sector is presenting itself for further devastating cyberattacks or breaches of PHI. Coupled with the immense strain that the COVID-19 pandemic has placed on healthcare and the changes in working patterns of many caregivers, this has further amplified the exposure of the sector to cyberattacks.

Moore GE. Cramming more components onto integrated circuits. Electronics. 1965;38(8):114–7.

World Economic Forum. What new technologies carry the biggest risks? https://www.weforum.org/agenda/2017/01/what-emerging-technologies-have-the-biggest-negative-consequences/#:~:text=The%20emerging%20technology%20with%20by,deprive%20millions%20of%20their%20jobs (2017). Accessed 25 Mar 2023.

HM Government. National Cyber Security Strategy 2016–2021. London, United Kingdom: HM Government. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf (2016). Accessed 12 Dec 2020.

Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? Br Med J (Clinical Res Ed). 2017;358:j3179. https://doi.org/10.1136/bmj.j3179.CrossRef

Verizon. 2019 Data Breach Investigations Report. https://enterprise.verizon.com/en-gb/resources/reports/dbir/ (2019). Accessed 5 Jan 2021.

Ghafur S, Fontana G, Martin G, Grass E, Goodman J, Darzi A. Improving Cyber Security in the NHS. London, United Kingdom: Imperial College London Institute of Global Health innovation. https://www.imperial.ac.uk/media/imperial-college/institute-of-global-health-innovation/Cyber-report-2020.pdf (2019). Accessed 15 Nov 2020.

Jalali MS, Landman A, Gordon WJ. Telemedicine, privacy, and information security in the age of COVID-19. J Am Med Inform Assoc. 2020;28(3):671–2.CrossRefPubMedCentral

Wirth A. COVID-19 and what it means for cybersecurity. Biomed Instrum Technol. 2020;54(3):216–9.CrossRefPubMed

Jiang JX, Bai G. Evaluation of causes of Protected Health Information Breaches. JAMA Intern Med. 2019;179(2):265–7.CrossRefPubMed

10.

Sittig DF, Singh H. A socio-technical approach to preventing, mitigating, and recovering from Ransomware attacks. Appl Clin Inf. 2016;7(2):624–32.CrossRef

11.

Royal Academy of Engineering. Cyber safety and resilience: strengthening the digital systems that support the modern economy. London: Royal Academy of Engineering. 2018.

12.

Best J. Could implanted medical devices be hacked? British Medical Journal (Clinical Research Ed), 368, m102. https://www.bmj.com/content/368/bmj.m102 (2020). Accessed 23 Feb 2021.

13.

Coventry L, Branley D. Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas. 2018;113:48–52.CrossRefPubMed

14.

Williams CM, Chaturvedi R, Chakravarthy K. Cybersecurity Risks in a Pandemic. Journal of Medical Internet Research, 22(9), e23692–4. https://www.jmir.org/2020/9/e23692/ (2020). Accessed 23 Feb 2021.

15.

O’Brien S. Average Cost of Data Breach in Healthcare Industry Hits $7.13 Million. https://securityitsummit.co.uk/briefing/average-cost-of-data-breach-in-healthcare-industry-hits-7-13-million/ (2020). Accessed 12 Dec 2020.

16.

Lallie HS, Shepherd LA, Nurse JRC, Erola A, Epiphaniou G, Maple C, Bellekens X. Cyber Security in the age of COVID-19: a Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the pandemic. Comput Secur. 2020;105:102248.CrossRef

17.

Robinson J, Zoltan M. US Healthcare Data Breach Statistics. https://www.privacyaffairs.com/healthcare-data-breach-statistics/ (2021). Accessed 15 Apr 2021.

18.

Ghafur S, Grass E, Jennings NA, Darzi A. The challenges of cybersecurity in health care: the UK National Health Service as a case study Comment. Lancet Digital Health. 2019;1(1):e10–e12.

19.

Sulleyman A. NHS cyber attack: why stolen medical information is so much more valuable than financial data. http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-medical-data-records-stolen-why-so-valuable-to-sell-financial-a7733171.html (2017). Accessed 12 Dec 2020.

20.

Stack B. Here’s How Much Your Personal Information Is Selling for on the Dark Web. https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/ (2017). Accessed 25 March.

21.

Scott J, Spaniel D. Your life, repackaged and resold: the deep web Exploitation of Health Sector Breach victims. New York: ArtOfTheHak; 2019.

22.

Cyber-attack: Europol says it was unprecedented in scale. https://www.bbc.com/news/world-europe-39907965 (2017). Accessed 27 Nov 2020.

23.

Mayor S. Sixty seconds on. the WannaCry cyberattack. British Medical Journal (Clinical Research Ed), 361, k1750. https://www.bmj.com/content/361/bmj.k1750 (2018). Accessed 11 Mar 2023.

24.

Department of Health and Social Care. Lessons learned review of the WannaCry Ransomware Cyber Attack. London, United Kingdom: Department of Health and Social Care. https://www.england.nhs.uk/wp-content/uploads/2018/02/06_pb_08_02_18-lessons-learned-review-wannacry-ransomware-cyber-attack.pdf (2018). Accessed 12 Dec 2020.

25.

Martin G, Ghafur S, Kinross J, Hankin C, Darzi A. WannaCry-a year on. British Medical Journal (Clinical Research Ed), 361, k2381. https://www.bmj.com/content/361/bmj.k2381 (2018). Accessed 19 Dec 2020.

26.

National Health Executive. WannaCry cyber-attack cost the NHS £92m after 19,000 appointments were cancelled. https://www.nationalhealthexecutive.com/articles/wannacry-cyber-attack-cost-nhs-ps92m-after-19000-appointments-were-cancelled (2018). Accessed 26 Mar 2023.

27.

Whittaker Z. GE admits security flaws in its hospital devices could cause patient harm. https://techcrunch.com/2019/07/09/flaws-anesthesia-respiratory-devices-tampering/ (2019). Accessed 6 Mar 2023.

28.

Whittaker Z. A widely used infusion pump can be remotely hijacked, say researchers. https://techcrunch.com/2019/06/13/alaris-infusion-pump-security-flaws/ (2019). Accessed 6 Mar 2023.

29.

Martin G, Kinross J, Hankin C. Effective cybersecurity is fundamental to patient safety. British Medical Journal (Clinical Research Ed), 357, j2375. https://www.bmj.com/content/357/bmj.j2375 (2017). Accessed 26 Mar 2023.

30.

Pranggono B, Arabo A. COVID-19 pandemic cybersecurity issues. Internet Technol Lett. 2020;2021(4):e247.

31.

Baumgart DC. Digital advantage in the COVID-19 response: perspective from Canada’s largest integrated digitalized healthcare system. NPJ Digit Med. 2020;3(1):1–4.CrossRef

32.

Houses of Parliament. Robotics in social care. London: Houses of Parliament; 2018.

33.

Looper C. What is 5G? Everything you need to know. https://www.digitaltrends.com/mobile/what-is-5 g/ (2021). Accessed 18 May 2021.

34.

Sharma B. With 319 Terabytes per second, Japan sets new world record for internet speed. What does this mean? https://www.wionews.com/technology/with-319-terabytes-per-second-japan-sets-new-world-record-for-internet-speed-what-does-this-mean-399033 (2021). Accessed 25 Mar 2023.

35.

Petrosyan A. Share of global adults who trust public Wi-Fi networks to keep info safe 2019. https://www.statista.com/statistics/1147501/share-adults-trust-public-location-wifi-network-information-safe/ (2022). Accessed 25 Mar 2023.

36.

Cyberunit. Can You Trust Public WiFi? https://www.cyberunit.com/blog/can-you-trust-public-wifi (2021). Accessed 25 Mar 2023.

37.

McNamee K. 5G – What could go wrong? [Conference Presentation]. ISC2 Security Congress 2020, Online (2020).

38.

Patel H, Hassell A, Keniston A, Davis C. Impact of Remote Patient Monitoring on Length of Stay for Patients with COVID-19. Telemedicine and E-Health. 2020. https://doi.org/10.1089/tmj.2021.0510.

39.

Ferretti L, Wymant C, Kendall M, Zhao L, Nurtay A, Abeler- Dorner L, Parker M, Bonsall D, Fraser C. Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing. Science. 2020;368(6491):eabb6936.

40.

Skorobogatov S. The bumpy road towards iPhone 5c NAND mirroring. https://arxiv.org/pdf/1609.04327.pdf (2016). Accessed 27 June 2018.

41.

Evans D. The Internet of Things. How the Next Evolution of the Internet Is Changing Everything. San Jose, United States of America: Cisco. http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf (2011). Accessed 18 Oct 2020.

42.

Ericsson. Wearable technology and Internet of things. https://www.ericsson.com/en/reports-and-papers/consumerlab/reports/wearable-technology-and-the-internet-of-things (2016). Accessed 6 Mar 2023.

43.

Nasajpour M, Pouriyeh S, Parizi RM, Dorodchi M, Valero M, Arabnia HR. Internet of things for current COVID-19 and future pandemics: an exploratory study. J Healthc Inf Res. 2020;4(4):1–40.

44.

Cisco. Defending against today’s critical threats. San Jose, United States of America: Cisco. https://www.cisco.com/c/dam/global/en_uk/assets/pdfs/en_cybersecurityseries_thrt_01_0219_r2.pdf (2019). Accessed 18 Oct 2020.

45.

Symantec. Internet Security Threat Report. Mountain View, United States of America: Symantec. https://docs.broadcom.com/doc/istr-24-2019-en (2019). Accessed 19 Jan 2021.

46.

Zou X, editor. IoT devices are hard to patch: Here’s why—and how to deal with security. Retrieved from https://techbeacon.com/security/iot-devices-are-hard-patch-heres-why-how-deal-security. Accessed 18 Oct 2020.

47.

Food and Drug Administration. Firmware update to address cybersecurity vulnerabilities identified in Abbott’s (formerly St Jude Medical’s) implantable cardiac pacemakers: FDA safety communication, 29 Aug 2017. https://www.fda.gov/medical-devices/safety-communications/firmware-update-address-cybersecurity-vulnerabilities-identified-abbotts-formerly-st-jude-medicals (2017). Accessed 18 Oct 2020.

48.

Food and Drug Administration. Cybersecurity vulnerabilities affecting medtronic implantable cardiac devices, programmers, and home monitors: FDA safety communication, 21 Mar 2019. https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affecting-medtronic-implantable-cardiac-devices-programmers-and-home (2019). Accessed 18 Oct 2020.

49.

Newman LH. A New Pacemaker Hack Puts Malware Directly on the Device. https://www.wired.com/story/pacemaker-hack-malware-black-hat/ (2018). Accessed 12 Dec 2020.

50.

Peterson A. Yes, terrorists could have hacked Dick Cheney’s heart. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2013/10/21/yes-terrorists-could-have-hacked-dick-cheneys-heart/ (2013). Accessed 15 July 2020.

51.

Mirsky Y, Mahler T, Shelef I, Elovici Y. CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning. https://arxiv.org/pdf/1901.03597.pdf (2019). Accessed 15 July 2020.

52.

MIT Technology Review. Security Experts Hack Teleoperated Surgical Robot. https://www.technologyreview.com/2015/04/24/168339/security-experts-hack-teleoperated-surgical-robot/ (2015). Accessed 18 Oct 2020.

53.

Newman LH. Medical Devices Are the Next Security Nightmare. https://www.wired.com/2017/03/medical-devices-next-security-nightmare/ (2017). Accessed 18 Oct 2020.

54.

Storm D. MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks. https://www.computerworld.com/article/2932371/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html (2015). Accessed 15 Dec 2020.

55.

IBM Global Technology Services. IBM Security Services 2014 Cyber Security Intelligence Index. Somers, United States of America: IBM Corporation. http://i.crn.com/custom/IBMSecurityServices2014.PDF (2014). Accessed 8 Mar 2020.

56.

Infoguard Cyber Security. 5 industries that top the hit list of cyber criminals in 2017. https://www.infoguardsecurity.com/5-industries-top-hit-list-cyber-criminals-2017/ (2017). Accessed 15 Dec 2020.

57.

Hadnagy C. Social Engineering: the Science of Human Hacking. 2nd ed. Indianapolis: Wiley; 2018.CrossRef

58.

Hoffman S. Cybersecurity threats in healthcare organizations: exposing vulnerabilities in the healthcare information infrastructure. World Libraries. 2020;24(1)

59.

Furnell S, Shah JN. Home working and cyber security–an outbreak of unpreparedness? Comput Fraud Secur. 2020;2020(8):6–12.

60.

Hackett M. Number of cybersecurity attacks increases during COVID-19 crisis: Hackers are taking advantage of provider distraction to breach health systems. https://www.healthcarefinancenews.com/news/number-cybersecurity-attacks-increase-during-covid-19-crisis (2020). Accessed 16 Dec 2020.

61.

Shi F. Threat spotlight: coronavirus-related phishing. https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing (2020). Accessed 19 May 2021.

62.

Sjouwerman S. Q1 2020 coronavirus-related phishing email attacks are up 600%. https://blog.knowbe4.com/q1-2020-coronavirus-related-phishing-email-attacks-are-up-600 (2020). Accessed 19 May 2021.

63.

Kumaran N, Lugani S. Protecting businesses against cyber threats during covid-19 and beyond. Retrieved from https://cloud.google.com/blog/products/identity-security/protecting-against-cyber-threats-during-covid-19-and-beyond (2020). Accessed 20 May 2021.

64.

Ronquillo JG, Winterholler JE, Cwikla K, Szymanski R, Levy C. Health IT, hacking, and cybersecurity: national trends in data breaches of protected health information. J Am Med Inf Assoc Open. 2018;1(1):15–9.

65.

Gibbs S. UK government PCs open to hackers as paid Windows XP support ends. Retrieved from https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends (2015). Accessed 19 Dec 2020.

Title: The elephant in the room: cybersecurity in healthcare
Author: Anthony James Cartwright
Publication date: 24-04-2023
Publisher: Springer Netherlands
Published in: Journal of Clinical Monitoring and Computing / Issue 5/2023
Print ISSN: 1387-1307
Electronic ISSN: 1573-2614
DOI: https://doi.org/10.1007/s10877-023-01013-5

At a glance: The STEP trials

Springer Medicine

The elephant in the room: cybersecurity in healthcare

Abstract

At a glance: The STEP trials

Springer Medicine

Abstract

Please log in to get access to this content

Other articles of this Issue 5/2023

Echocardiographic hemodynamic assessment in decompensated cirrhosis: comparison between Intensivists and Gastroenterologists

Effects of tidal volume challenge on the reliability of plethysmography variability index in hepatobiliary and pancreatic surgeries: a prospective interventional study

Software development to standardize the clinical diagnosis of exercise oscillatory ventilation in heart failure

Evaluation of temperature-dependent fluctuations in skin microcirculation flow using a light-emitting diode based photoacoustic imaging device

Blood pressure control with phenylephrine or dobutamine: a randomized controlled trial comparing effects on cerebral and paravertebral tissue oxygen saturation measured with near-infrared spectroscopy

Linear thinking does not reflect the newer 21st-century anesthesia concepts. A narrative review