As online threats of various sorts, from malicious hacking to holding data hostage, continue to grow and evolve, the enhancement of cybersecurity has become critical – for industry, healthcare providers, regulators, and policymakers. Thanks to the $1.7 trillion omnibus appropriations bill passed by Congress and signed into law by President Biden late last year, additional cybersecurity requirements will become a key focus for an unobvious sector: medical device manufacturers.
As part of the omnibus bill, Congress authorized the FDA to establish cybersecurity requirements for manufacturers of internet-connected medical devices. This is critical to strengthening the cybersecurity of America's health care system, particularly given the important role these medical devices play in both ensuring the health and wellbeing of their users and collecting and storing highly sensitive patient data. However, it should be viewed as only the first step.
Although Congress and the FDA are right to hold medical device manufacturers to these new standards, there is still more that must be done by practitioners and hospitals in order to protect patient data and prevent bad actors from threatening the security of our healthcare system. But to do that, they will need additional resources from the federal government.
Cybersecurity must be a shared responsibility. Hackers can exploit vulnerabilities at many levels of the healthcare ecosystem and due to various factors — from institutional neglect and insufficient funding to lack of cybersecurity expertise— large swaths of our healthcare system are at risk of cyber-attacks and other threats.
One of the common ways hackers target hospitals and healthcare systems is by ransomware attacks via phishing emails. From 2021 to 2022, ransomware attacks on health care organizations in the United States increased by a staggering 94 percent, according to a report by cybersecurity firm Sophos. Because so many hospitals nationwide operate on razor-thin margins — particularly in the wake of the COVID pandemic's economic toll — many facilities rely on older, legacy equipment, including servers and operating systems that are more vulnerable to such attacks.
These kinds of ransomware attacks—90 percent of which are preventable when organizations follow basic security and risk-management measures — can wreak havoc on hospitals, putting patients and providers at risk. In one of the more egregious examples of this, an employee at the University of Vermont Medical Center opened a field emailed to her from her homeowners' association, which itself had been targeted by hackers. As a result of this one action, the entire University of Vermont Health Network was forced to cancel surgical operations, reschedule mammogram appointments, and even delay treatments for cancer patients.
Such incidents underscore the need for hospitals and healthcare providers to enhance cybersecurity efforts across the board. According to Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force: "Hospitals' systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands."
One of the ways many hospitals are working to strengthen their resistance to ransomware attacks is through the "3-2-1 backup approach" recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Essentially, this entails saving three copies of critical patient or other health care-related data in a minimum of two different formats and storing one copy offline where it cannot be affected by ransomware or other malicious attempts by hackers.
In addition, dividing networks into smaller sections through a segmentation process can help to decrease the odds of a ransomware attack compromising an entire system, by allowing network administrators to isolate and quarantine specific segments corrupted by ransomware.
The Health Sector Coordinating Council, a public-private partnership, and the U.S. Department of Health and Human Services have outlined the five most relevant cyber threats to hospitals and health systems as well as 10 cybersecurity practices to address and mitigate them. Although this guidance is welcome and helpful, many cash-strapped hospitals are struggling to maintain even a minimum level of protection. As a report by the HHS Office of Inspector General points out, hospitals need additional support and incentives to implement cybersecurity solutions, including funding to train staff.
While the omnibus funding bill passed last year made a good start with cybersecurity standards for internet-connected medical devices, that is only one tiny piece of the puzzle. In order to better protect patient data and the integrity of our entire healthcare system, Congress must now provide direction and funding for more comprehensive cybersecurity.
Henry I. Miller, a physician and molecular biologist, is the Glenn Swogger Distinguished Fellow at the American Council on Science and Health. He was the founding director of the FDA's Office of Biotechnology. Find his articles at henrymillermd.org.