Health Security

Volume 18, Number 3, 2020 ª Mary Ann Liebert, Inc.

DOI: 10.1089/hs.2019.0123

Healthcare Challenges in the Era of Cybersecurity

Jeff Tully, Jordan Selzer, James P. Phillips, Patrick O’Connor, and Christian Dameff

As a result of the extensive integration of technology into the healthcare system, cybersecurity incidents have become an
Downloaded by 49.36.233.194 from www.liebertpub.com at 02/28/22. For personal use only.

increasing challenge for the healthcare industry. Recent examples include WannaCry, a nontargeted ransomware attack
on more than 150 countries worldwide that temporarily crippled parts of the National Health Service in the United
Kingdom, and the 2016 ransomware attack on Los Angeles’s Hollywood Presbyterian Medical Center. The attacks cost
millions of dollars in lost revenue and fines, as well as significant reputational damage. Efforts are needed to devise tools
that allow experts to more accurately quantify the actual impact of such events on both individual patients and healthcare
systems as a whole. While the United States has robust disaster preparedness and response systems integrated throughout
the healthcare and government sectors, the rapidly evolving cybersecurity threat against healthcare entities is outpacing
existing countermeasures and challenges in the ‘‘all-hazards’’ disaster preparedness paradigm. Further epidemiologic
research of clinical cybersecurity attacks and their effects on patient care and clinical outcomes is necessary to prevent and
mitigate future attacks.

Keywords: Cybersecurity, Electronic health records, Public health preparedness/response

P revention, mitigation, response, emergency man-

agement, and recovery from disasters are critical re-
sponsibilities in the public health domain. For well over a
century, US federal, state, and local governments have led
preparedness and response efforts to natural and manmade
disasters through policy and asset management. As most
disasters typically include human injury and death, the
evolution of the formal discipline of disaster medicine came
about simultaneously. No other event in modern history
has spurred advances in disaster medicine and public health
policy more than the attacks on September 11, 2001.1,2
Concurrently, over the past 30 years, the expansive inte-
gration of new technology in healthcare has changed the
face of medicine. Modern medical care now relies on
healthcare delivery organizations, including hospitals and
clinics, that are built on a backbone of connected com-
puter-based infrastructure, as well as the use of patient-
facing networked technology such as implantable medical
devices. Additionally, clinicians rely on electronic medical
records, computer-controlled bedside infusion pumps, so-
phisticated medical imaging platforms, and a myriad of
other tools to provide the current standard of care.
While conventional disaster medicine and related policy
efforts largely focus on responding to natural disasters,

Jeff Tully, MD, is a Senior Resident, Department of Anesthesiology and Pain Medicine, UC Davis Medical Center, Sacramento, CA.
Jordan Selzer, MD, is a Research Instructor and Fellow, and James P. Phillips, MD, is an Assistant Professor and Chief; both in the
Section of Disaster and Operational Medicine, Department of Emergency Medicine, George Washington University School of
Medicine and Health Sciences, Washington, DC. Dr. Phillips is also a Senior Fellow, Center for Cyber and Homeland Security,
Auburn University, Auburn, AL. Patrick O’Connor, MD, is a Resident Physician, Department of Neurology, University of Utah, Salt
Lake City, UT. Christian Dameff, MD, is an Assistant Professor, Departments of Emergency Medicine, Biomedical Informatics, and
Computer Science and Engineering, University of California San Diego, San Diego, CA.

228

epidemic outbreaks of disease, and mass casualty or terrorist
attacks, the ever-increasing dependence on technology
in the healthcare system presents a new and important
challenge to clinicians, public health experts, and policy-
makers. Interestingly, the technological advances that have
improved medical disaster response and patient care are
increasingly at risk of being exploited and themselves
becoming the cause of a new type of disaster.
Cybersecurity refers to the protection of computer-based
technology from deliberate or inadvertent disruption via
manipulation of underlying software, hardware, or net-
worked connections. Although this discipline and its prac-
tices have received substantial attention in the technology,
financial, industrial infrastructure, and national security
sectors, a 2017 report commissioned by the Department
of Health and Human Services (HHS) found that
‘‘healthcare cybersecurity is in critical condition.’’3 The
report cited as challenges of particularly grave concern: (1) a
Downloaded by 49.36.233.194 from www.liebertpub.com at 02/28/22. For personal use only.
significant shortage of information security professionals,
(2) the ubiquitous use of outdated legacy equipment, (3)
over-connected technologies, and (4) the profligate pres-
ence of software vulnerabilities in commonly used devices.
Recent Examples of Cyber Disasters
A dramatic example of the public health threat posed by
cybersecurity vulnerabilities occurred on May 12, 2017,
with the release and rapid spread of the WannaCry software
virus. An example of a subset of malicious malware viruses
known as ransomware, WannaCry infected exposed com-
puters by taking advantage of a software vulnerability in
older versions of the Windows operating system. The virus
then encrypted the information already stored on the
computer, rendering the data inaccessible to its owner
unless a ransom was paid in the form of anonymous elec-
tronic cryptocurrency.
The ransomware ultimately invaded hundreds of thou-
sands of computers in more than 150 countries. Arguably,
however, WannaCry’s most profound impact occurred
when systems of Britain’s National Health Service (NHS)
were infected. The result was disruption to the normal
operations of more than 80 individual hospitals for 4 days.
Tens of thousands of scheduled surgeries and clinical
appointments between May 12 and May 19 had to be
cancelled; complex medical equipment such as magnetic
resonance imaging machines were temporarily disabled;
and in several areas, ambulances had to be diverted to un-
affected hospitals, resulting in delays in patient care.4 At the
time, the NHS did not routinely collect specific data that
would allow the resultant healthcare impact to be measured
(ie, disease-specific morbidity and mortality, number of
diversions); therefore, an accurate account of the full extent
of the public health impact is not available.5 Recently,
Ghafur et al attempted to quantify the medical impact of
WannaCry using overall mortality data and cancelled ap-
Volume 18, Number 3, 2020
TULLY ET AL
pointments.6 There was no overall increase in mortality;
however, given prior research showing nontrivial mortality
impacts as a result of delays for road closures during mar-
athons, it seems likely that there were significant unseen
impacts.6,7 From a financial standpoint, however, the NHS
unambiguously estimates the costs associated with the
WannaCry attack to be at least £92 million (US$115
million).8
Although healthcare computer systems in the United
States largely escaped infection from WannaCry, several
institutions have been affected by other ransomware at-
tacks. Most notably, a ransomware cyberattack occurred
in 2016 at Hollywood Presbyterian Hospital in California
with similar adverse outcomes.9 In contrast to the
WannaCry attack, however, Presbyterian Hospital chose
not to notify law enforcement when the hack occurred.
Instead, the hospital’s information was held hostage for
10 days until it ultimately paid $17,000 in bitcoin ransom
to the criminal perpetrators.10,11 The full financial and
reputational impact of this event has not been evaluated,
but other information security breaches have cost hospitals
as much as $7 million in fines, litigation, and reputational
damage.12 A significant increase in attempted attacks using
the same ransomware was also seen in nearby Palo Alto
shortly after the Presbyterian attack.10
To date, little peer-reviewed information has been
published regarding the public health implications of
ransomware attacks and similar cybersecurity incidents.
The impact on patient clinical outcomes as a result of care
delays because of ambulance diversion away from affected
emergency departments has not been accurately measured.
However, other studies on similar care delays indicate
that detrimental effects on patients likely occurred. Road
closures during marathons have demonstrated nontrivial
impacts on the response of time-critical conditions such as
cardiac arrest.13
In addition to the health impacts associated with delays
due to transportation issues, breaches of a hospital’s stores
of protected health information negatively affect patient
outcomes. While breaches of protected health information
may not directly disrupt or disable the normal healthcare
delivery functions, they have been shown to be associated
with 30-day increases in mortality from acute myocardial
infarction. The correlation is hypothesized to be related to
the need to divert organizational resources to mitigating
cybersecurity vulnerabilities and paying associated penalties
and potentially away from direct patient care services or
processes.14
Cyber Disaster Preparedness
and Response
Disaster and emergency response infrastructure in the
United States is complex and multilayered. Federal man-
agement and direction of public health preparedness and
229
 HEALTHCARE CHALLENGES AND CYBERSECURITY
response efforts include the Departments of Defense, Ve-
teran’s Affairs, Homeland Security, and Health and Hu-
man Services. Important agencies within the departments
include, but are not limited to, the Federal Emergency
Management Agency, the Centers for Disease Control and
Prevention, the Food and Drug Administration, and the
Office of the Assistant Secretary for Preparedness and Re-
sponse. A multitude of public and private partnerships and
information sharing organizations complement these ef-
forts, some of which have produced guidance on healthcare
cybersecurity-related best practices.15 In 2018, the National
Institute for Standards and Technology released the ‘‘Fra-
mework for Improving Critical Infrastructure Cybersecur-
ity,’’ now purported to be the most widely used framework
in healthcare.16
In parallel to the federal agencies, governments at the
state level typically include an amalgamation of depart-
ments, agencies, and organizations that share over-
Downloaded by 49.36.233.194 from www.liebertpub.com at 02/28/22. For personal use only.
lapping jurisdictions and responsibilities for disaster
preparedness and response. Tribal governments, local
municipalities, county and regional authorities, and in-
dependent associations have additional roles in the di-
saster response and public health ecosystems and must
coordinate with state and federal government agencies
when disaster situations overwhelm existing resources.
While comprehensive surveys and studies have not been
performed on the independent roles of such organiza-
tions, in the context of cyber disasters, these organiza-
tions may serve as key networks for information sharing
and response coordination.
Lastly, individual healthcare organizations are not stand-
ing by idly; many have taken active steps to protect them-
selves. Commonly, the focus is on end-user security, such
as restricting website access, increasing the complexity of
password access and frequency of password changes, and
limiting outside device access to the network. In addition,
structural measures such as network segmentation and
regular software patching are widely used to increase
cybersecurity.
Current Regulations
The most prominent regulation concerning public health
cybersecurity preparedness arises from the HHS Centers
for Medicare and Medicaid Services (CMS). Under its
‘‘Conditions of Participation’’ for hospitals exists a re-
quirement that facilities ‘‘develop, implement, and main-
tain an effective antiviral computer software program to
prevent malware viruses from an unauthorized cyber-
attack.’’18 While a regularly updated antivirus platform is
a foundational element of a strong cybersecurity posture,
updates eventually become a challenge due to outdated
legacy equipment and operating systems. The WannaCry
ransomware virus is an example of a previously unknown
software exploitation that a vast majority of unsupported or
230
outdated systems’ antivirus platforms were unable to detect
or prevent, despite the active software in place.5
The Health Insurance Portability and Accountability Act
(HIPAA) has also addressed cyber security in several ways.
There is a strict reporting requirement for any incident
involving the breach of protected health information, par-
ticularly any event resulting in the exposure of more than
500 individuals’ data. However, other than this reporting
requirement, HIPAA’s guidance for hospitals on how to
actually implement measures to mitigate and prevent
such exposures is vague and widely open to interpretation:
requiring ‘‘administrative, physical and technical safeguards
to ensure the confidentiality, integrity, and security of
electronic protected health information.’’19
CMS and HIPAA regulations also require the appointment
of an emergency manager at each participating institution
who will oversee the development of unique organizational
emergency preparedness and disaster recovery plans. Re-
sources for the development of cybersecurity-specific plans are
outnumbered by materials guiding against natural disasters,
disease epidemics, and mass casualty events. Additionally, the
shortage of qualified cybersecurity personnel as identified by
the Health and Human Services Task Force presents a barrier
to the universal implementation of such programs.20
Conclusions
Public policy enacted to reduce the impacts of disasters
have not adequately addressed the threats that arise from
the growing dependence American healthcare has on
connected technology. Limited resources, a complex and
evolving organizational hierarchy, immature regulation,
and a relatively unfamiliar threat model without a signifi-
cant foundation of evidence-based research all combine
to present a challenge for the individual healthcare delivery
organization or public health system preparing for a cy-
bersecurity-related incident. Additionally, appropriate tools
to capture and attribute the true medical impacts of these
events are still lacking.
The current legal and regulatory landscape, including
HIPAA and CMS regulations, provide a needed founda-
tion, but recent incidents have demonstrated the impor-
tance of a more robust and evidence-based framework
to combat healthcare cybercrime. Suggestions for future
regulations to improve safety include improved event re-
porting and information sharing, improved tools for in-
vestigation and prosecution of cybercrimes, and federal
training and response to cybersecurity events in ways sim-
ilar to other disasters.
The advances in disaster planning and management for
conventional public health emergencies provide a roadmap
for improving readiness in the cybersecurity arena. Ad-
ditionally, prevention and risk reduction through various
strategies, including end-user education, regular patching,
and discontinued use of unsupported software and devices,
Health Security

are essential to improving healthcare cybersecurity. Thus,
cybersecurity improvements will ultimately improve the
health of patients. Further research should address the
epidemiology of clinical cybersecurity incidents and char-
acterize the effect they have on patient care capabilities and
subsequent clinical outcomes. Best practices should be de-
veloped not only by information security professionals, but
by multidisciplinary groups including clinicians, health
system administrators, and policymakers.
References
1. Goudsblom J. Public health and the civilizing process.
Milbank Q. 1986;64(2):161-188.
2. Noji EK, Toole MJ. The historical development of public
health responses to disasters. Disasters. 1997;21(4):366-376.
3. Healthcare Industry Cybersecurity Task Force. Report on
Downloaded by 49.36.233.194 from www.liebertpub.com at 02/28/22. For personal use only.
Improving Cybersecurity in the Healthcare Industry. June
2017. Accessed September 29, 2019. https://www.phe.gov/
Preparedness/planning/CyberTF/Documents/report2017.pdf
4. National Audit Office. Department of Health. Report by the
Comptroller and Auditor General. Investigation: WannaCry
Cyber Attack and the NHS. April 25, 2018. Accessed May 27,
2020. https://www.nao.org.uk/wp-content/uploads/2017/
10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf
5. Smart W. Lessons Learned: Review of the WannaCry
Ransomware Cyber Attack. Department of Health & Social
Care. February 2018. Accessed May 27, 2020. https://www
.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-
review-wannacry-ransomware-cyber-attack-cio-review.pdf
6. Ghafur S, Kristensen S, Honeyford K, Martin G, Darzi A,
Aylin P. A retrospective impact analysis of the WannaCry
cyberattack on the NHS. NPJ Digit Med. 2019;2:98.
7. Choi SJ, Johnson ME. Do hospital data breaches reduce
patient care quality? arXiv.org. Submitted April 3, 2019.
Accessed May 27, 2020. http://arxiv.org/abs/1904.02058
8. Cyber Security Policy. Securing Cyber Resilience in Health
and Care: Progress Update 2018. London: Department of
Health & Social Care; 2018. Accessed May 27, 2020.
https://assets.publishing.service.gov.uk/government/uploads/
system/uploads/attachment_data/file/747464/securing-cyber-
resilience-in-health-and-care-september-2018-update.pdf
9. Winton R. Hollywood hospital pays $17,000 in bitcoin to
hackers; FBI investigating. Los Angeles Times. February 18,
2016. Accessed May 27, 2020. https://www.latimes.com/
business/technology/la-me-ln-hollywood-hospital-bitcoin-201
60217-story.html
10. Ransomware case studies: Hollywood Presbyterian and the
Ottawa Hospital. Infosec Resources website. Accessed May
27, 2020. https://resources.infosecinstitute.com/category/
healthcare-information-security/healthcare-attack-statistics-and-
case-studies/ransomware-case-studies-hollywood-presbyterian-
and-the-ottawa-hospital/
Volume 18, Number 3, 2020
TULLY ET AL
11. Dobuzinskis A, Finkle J. California hospital makes rare ad-
mission of hack, ransom payment. Reuters. February 18,
2016. Accessed December 13, 2019. https://www.reuters.com/
article/us-california-hospital-cyberattack-idUSKCN0VS05M
12. Jalali MS, Kaiser JP. Cybersecurity in hospitals: a systematic,
organizational perspective. J Med Internet Res. 2018;20(5):
e10059.
13. Jena AB, Mann NC, Wedlund LN, Olenski A. Delays in
emergency care and mortality during major U.S. marathons.
N Engl J Med. 2017;376(15):1441-1450.
14. Choi S, Johnson ME. Do hospital data breaches reduce pa-
tient care quality? Paper presented at: 14th Workshop on the
Economics of Information Security; June 2017; La Jolla, CA.
15. US Department of Health and Human Services. Health
Industry Cybersecurity Practices: Managing Threats and Pro-
tecting Patients. Accessed May 27, 2020. https://www.phe.
gov/Preparedness/planning/405d/Documents/HICP-Main-
508.pdf
16. HIMSS North America. 2018 HIMSS Cybersecurity Survey.
Chicago: HIMSS; 2018. Accessed May 27, 2020. https://
www.himss.org/sites/hde/files/d7/u132196/2018_HIMSS_
Cybersecurity_Survey_Final_Report.pdf
17. Arizona Department of Health Services (ADHS). Public
health emergency preparedness. ADHS website. Accessed
May 27, 2020. https://www.azdhs.gov/preparedness/emergency-
preparedness/index.php
18. Centers for Medicare & Medicaid Services (CMS). Medicare
Business Partners System Security Manual. Baltimore, MD:
CMS; 2017. Accessed June 9, 2020. https://www.cms.gov/
Research-Statistics-Data-and-Systems/CMS-Information-Tech
nology/InformationSecurity/Info-Security-Library-Items/CMS
1223332
19. Security Standards: Administrative Safeguards. HIPAA Se-
curity Series. 2007;2:2. Accessed May 27, 2020. https://www.
hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/
securityrule/adminsafeguards.pdf
20. Davis J. HHS task force says healthcare cybersecurity in ‘‘crit-
ical condition.’’ Healthcare IT News. June 5, 2017. Accessed
May 27, 2020. https://www.healthcareitnews.com/news/hhs-
task-force-says-healthcare-cybersecurity-critical-condition
Manuscript received October 14, 2019;
revision returned January 31, 2020;
accepted for publication March 30, 2020.
Address correspondence to:
Jordan Selzer, MD
George Washington University Medical School
Department of Emergency Medicine
Division of Disaster and Operational Medicine
2120 L Street, NW, Suite 450
Washington, DC 20037
Email: jselzer@mfa.gwu.edu
231
 This article has been cited by:

1. Santosh Kumar Sahu, Durga Prasad Mohapatra, Jitendra Kumar Rout, Kshira Sagar Sahoo, Ashish Kr. Luhach. 2021. An
Ensemble-Based Scalable Approach for Intrusion Detection Using Big Data Framework. Big Data 9:4, 303-321. [Abstract] [Full
Text] [PDF] [PDF Plus] [Supplementary Material]
Downloaded by 49.36.233.194 from www.liebertpub.com at 02/28/22. For personal use only.