As it becomes more clear every day that patient safety is at risk when it comes to cyberattacks, it also becomes more apparent that ethics must be introduced into cybersecurity considerations by healthcare provider organizations.
Consider an instance of malware affecting a networked device critical to a patient’s life, with indications that the malware may be spreading. Should a CISO and CIO take the device off the network, safeguarding other patients on the network but potentially endangering the patient on that particular device?
Christopher Frenz, assistant vice president of IT security at Mount Sinai South Nassau in Oceanside, New York, says that this is something hospitals should begin to think about even if it’s a difficult conversation to have.
Healthcare IT News had this conversation with Frenz in an interview. Here he discusses bringing medical ethics into the cybersecurity conversation, ethical and security questions that are fraught with peril, who should start ethics conversations in hospitals and how they should begin.
Q. Cybersecurity is becoming increasingly important to patient safety, and cyberattacks can lead to adverse patient outcomes. You told me that it will become increasingly vital at some point that medical ethics become intertwined with healthcare cybersecurity and incident response. Please elaborate.
A. In a modern hospital environment, in which EHRs, medical devices and other systems that are critical to patient care all are connected to a network, it is imperative that cybersecurity be considered as a key component of patient safety.
The scourge of ransomware attacks on hospitals has demonstrated time and time again that clinical systems can be impacted by cyber threats and that a successful cyberattack can make clinical systems unavailable. While hospitals can often fall back to paper and implement other downtime procedures, it is important to remember that key systems becoming unavailable can lead to delays in patient care and that any delay in patient care can lead to an increased chance of an adverse health outcome.
This was soberingly illustrated in September 2020 when a ransomware attack on a hospital in Dusseldorf, Germany, caused the need for diversion of an ambulance, and the resultant delay contributed to the death of the patient.
Moreover, it is not just cyberattacks that can lead to availability issues that can adversely impact patient care, but even the process of responding to a cyber incident can cause a similar impact.
Take, for example, the common incident response practice of disconnecting devices from the network in order to keep a threat from spreading and then consider the potential for patient care impacts. Disconnecting the central station used to collect telemetry monitor data, for instance, will likely require a change in nursing workflows and perhaps even staff augmentation as more frequent rounding or one-to-one monitoring may now be needed.
A CT machine in an emergency room context needing to be powered off may cause the emergency room to need to go on diversion for stroke patients. There are clinical repercussions that have to be factored into the incident response process.
Clinical considerations and decision-making need to be a key component in both helping to lay out security strategies for keeping patients safe, as well as in ensuring the incident response processes are done in a way that balances the needs to effectively contain an incident with the organization’s need to keep patient safety a priority.
On the strategy side, improved clinical understanding can help you determine that you should prioritize securing the CT machines over the wireless blood pressure cuffs because in the context of your hospital and patient population, one is more critical to patient care than the other.
On the incident response side, clinical insight will help to make informed decisions about if, how and when devices should be disconnected from patients and networks. While pulling the plug on a desktop PC may be an acceptable way to deal with an incident, the same cannot be said for a respirator with a patient hooked to it.
Medical ethics is a means of analyzing a clinical problem against a set of values to determine what the best course of action will be. Cybersecurity is now a clinical problem, and healthcare leaders need to begin to integrate this analysis process into how cybersecurity is viewed and approached.
We need to be making clinical-informed security decisions about how we prioritize and defend resources on our networks as well as how we plan for and actually respond to incidents.
Q. Suppose you have malware that is impacting a life-critical device in a negative way, and that this device requires network connectivity in order to function. You see signs of the malware attempting to spread and infect other similar devices. Tell me what you would do in this situation. Do you disconnect the device from the network, potentially risking a patient’s life to keep other patients from being adversely impacted by the malware?
A. Fortunately, I am not yet aware of any hospitals that have yet had to face a decision like this, but the WannaCry ransomware attacks back in 2017 clearly showed that cyberattacks have the potential to impact the functionality of medical devices as medical devices in hospitals around the world ended up encrypted and nonfunctional.
The fact that an attack like this has not happened yet does not mean that it is something that we should not be thinking about. When medical devices and other systems critical to patient care are the subject of a cyberattack, clinical leadership needs to be involved in the incident response process as soon as possible.
How to respond to an issue like this is going to depend on numerous factors, such as: One, how safe is it to disconnect the patient from the device? Two, how safe is it to disconnect the device from the network? Three, are there alternative ways the patient’s needs can be met. Four, what are the potential impacts to the other patients? And five, are there compensating controls that can be used to mitigate any of these risks?
Medical device incident response plans are not going to be one size fits all and I would recommend that organizations consider developing different incident response plans for different classes of medical devices.
Incident response always is somewhat chaotic, but taking the time to develop incident response plans and testing them with tabletop exercises and attack simulations is a great way to refine your responses and ensure that you are best able to contain the incident and maintain patient safety.
The answers to questions like the one you posed are not easy and do not have clear-cut answers, which is exactly why we need to be asking these questions now and thinking about the criteria needed to properly answer these questions.
We need responses to cyberattacks that put life and safety first and foremost. Waiting for the chaos of the moment when an attack hits to try to solve these problems is not a good solution.
We should be thinking right now about what devices and systems in our organization leave us most vulnerable, in not just a pure cybersecurity sense, but in a patient safety sense as well, as this will help to guide our security priorities. We also need to begin to develop plans for how we would work to keep our patients safe in the event that these systems were to become compromised.
Q. More and more medical devices are becoming network-enabled, and attacks on hospitals are still rising. You told me that cybersecurity and ethics are things that hospitals should begin to think about, even if it’s a difficult conversation to have. How should hospitals start these conversations, and who should start them?
A. Being able to apply medical ethics to healthcare cybersecurity is a way of ensuring that cybersecurity decisions are made with promoting patient safety and improved patient outcomes as considerations.
Much of a security leader’s responsibility centers on the mitigation of risk. As healthcare security leaders, we need to ensure that patient safety is a part of that risk equation. Making clinically informed decisions can help us to ensure that we are focusing on protecting the systems that are most critical to actual patient care and that our responses are optimized for keeping patients safe.
For organizations that have not yet started to have conversations around issues like this, I think it is important to keep in mind that a part of the role of any CISO is to be an educator and that raising awareness with other healthcare leaders about the increasingly intertwined relationship between cybersecurity and patient safety is a key first step.
A very effective means of raising awareness and gaining buy-in from clinical leaders for such initiatives can often be to develop and walk through a tabletop-exercise scenario that forces participants to make several crucial patient-care decisions as the exercise unfolds.
An exercise like this can make a lot of the patient-safety impacts less abstract, and can work really well to illustrate that a cyberattack on a hospital is much more than just an IT problem. Tabletops are a great way to get debates around these issues started and to begin to identify ways in which improvements in both organizational preparedness and incident response can be made.