Combating Health-Related Cybersecurity Threats
What the Virtual World Can Learn from Public Health
Dr. Sebastian Kevany and Dr. Deon Canyon/Daniel K. Inouye Asia-Pacific Center for Security Studies
The cyberattacks on the Republic of Ireland’s health system in May 2021 clearly show how the realms of cybersecurity and public health overlap. Hackers used an encryption process to disable the health system, paralyzing services and putting lives at risk when surgeries and other essential services had to be postponed.
The Irish government had to weigh the tradeoff between paying ransom to the hacking group versus risking the release of protected health information. A legal injunction against the use of the information, combined with public anti-ransom statements and a broader sense of public disgust and outrage, were effective tools against the hacking group, and the feared loss of private data or contamination of medical records was avoided.
The Irish experience reveals important global lessons: first, that health systems have to be protected by enhanced cybersecurity in the same way that banks and other key societal mechanisms do; second, health systems must be aware of the risks of increasingly relying on digital versus paper records; and third, many questions concerning the degree to which health information privacy can be maintained remain unanswered.
While cybersecurity and disinformation are distinct problems both in etiology and solution, internet regulation is a concept that embraces both issues. Likewise, the protection of personally identifiable information and protected health information are both virtual and tangible issues. Here, we attempt to draw these disparate and distinct concepts together in a framework that unites public health, health security and what might be termed cyber health.
The Contemporary Cyber Environment
Contemporary cyber insecurity and unregulated internet have been described as the modern Wild West — a domain in which conventional rules, mandates and laws, even when they can be applied, are almost impossible to enforce. The extremes of cyber freedom can be seen all around us — from verbal assaults and racism to enabling extremist positions on political and social issues, to the relative ease with which pharmaceuticals, pornography and other extreme or violent content can be accessed by any or all members of society with a web connection, regardless of age or educational level.
In turn, this collection of threats to society and public health presents a range of national and international security challenges. Currently, however, it seems highly unlikely that the transnational freedom of expression, trade and virtual movement that the internet represents will be controlled by any government or surveillance effort. In the absence of a national or supranational controlling body, the status quo looks set to continue: Even countries that enforce stricter national internet policies are inevitably exposed at the international level and circumnavigated by the global and nonconformist nature of cyberspace.
Yet nations need to balance cyber freedoms with health and security threats. Extreme cyber freedom can foster misinformation and even growth of extremist and terrorist organizations. However, censorship and internet controls create their own set of security and health threats, not least because they can advance the power and control of authoritarian regimes.
Many, if not all, of the above issues can be classified as global public health threats as well as security threats; virtually every crisis is accompanied by impacts on health. There may, therefore, be opportunities for a concerted public health response to cyber extremism as part of a broader national and international response to the issue.
The Unique Cyber Health Nexus
Health systems are particularly vulnerable to hacking, partly because of the sensitivity of the information and its potential ransom value. In 2020, the research organization Becker Health revealed that 82% of the United States hospitals surveyed experienced a cybersecurity incident in the past year, even though health care-related cyber incidents account for only 1.5% of data breaches. However, the average cost per breached record was U.S. $408, which is two to five times the cost in other industries.
Further, Verizon’s “2021 Data Breach Investigations Report” shows that 2.2% (655) of all reported incidents and 9% (472) of all reported data breaches worldwide occurred in the health care industry. Also, the origin of threat actors behind these attacks has shifted from 2019, when actors were predominantly internal, to a level of 61% external attacks. The motivation behind these attacks was described by perpetrators as 93% financial; 3% fun; 2% espionage; 1% grudge; and 1% convenience. Relatedly, cyberattack sophistication on health systems is also increasing, with hackers now able to modify medical records and even imaging scans in addition to stealing them.
There are three main causes of losses of confidential information in the cyber environment: malicious and criminal attacks account for 48% of all data breaches, followed by human error at 27%, and system errors at 25%. Cyber incidents in health care organizations also have a more pronounced impact on customers and patients, who are more likely to bring class-action lawsuits and take their business elsewhere than in other contexts.
In response, there can be significant costs to health care institutions as they face requirements to update software or replace entire networks. Of note in this context, some attacks, such as the 2017 WannaCry ransomware sponsored by North Korea, targeted medical devices as well as health services.
More specific motivations may drive future cyberattacks. Cyber assassinations are now theoretically possible as hackers could cease airflow to a patient or ward, prevent patients from being moved to urgent surgery by disabling elevators, modify patient scans to initiate emergency surgery, or alter the function of lifesaving medical devices. Motivations behind terrorist or state-sponsored attacks would likely include market manipulation, by targeting large health care organizations and the theft of intellectual property.
Public Health and Cyber Health Parallels
During the COVID-19 pandemic in 2020, cyberattacks against health care-related organizations doubled, with 28% tied to ransomware. Phishing attacks were considered a high risk threat, according to a 2021 CrowdStrike report on global threats, with tactics including: exploitation of individuals seeking information on disease tracking, testing and treatment; impersonation of medical agencies requesting information, including the World Health Organization (WHO) and the U.S. Centers for Disease Control and Prevention; and offers of financial assistance or government stimulus packages in exchange for private information.
As noted above, internet regulation is distinct from cybersecurity, and can also separately and distinctly contribute to misinformation in public health. Yet with the generalized failure of most internet regulation efforts, the internet has been used to amplify misinformation and disinformation in the public health realms, as most recently represented by vaccine conspiracy theories and associated pseudo-science. Even if it were enforceable, or means to regulate such malign activity could be devised, internet regulation is insufficient to address the problem.
In the public health and cyber realms, much of the nomenclature is the same: viruses, scans, bugs and other cybersecurity terms have all been appropriated from the medical arena. Similarly, cyber threats have much in common with infectious disease threats, often following the same cyclical arcs of acceleration and tapering, as seen in epidemics. Further, the global nature of cyber and public health considerations is now clear. There may, therefore, be much to learn from public health’s responses to epidemic infectious diseases and viruses to help with conceptualizing cyber threat responses.
A Solution From Within Public Health?
Public health campaigns have a history of success. Whether it is prevention messaging regarding HIV/AIDS; health education regarding sexually transmitted diseases, malaria or tuberculosis; or the declarations of primary health care accords such as Alma Ata, global health has been inestimably improved by the efforts of organizations such as the WHO; the World Bank; the United Nations program on AIDS; the Global Fund to Fight AIDS, Tuberculosis and Malaria; and bilateral initiatives, such as the U.S. President’s Emergency Plan for AIDS Relief.
Integrating cyber awareness messages into public health campaigns, and vice versa, may therefore be a meaningful way of educating the public about the perils and disinformation readily available in cyberspace. Related policy recommendations might include:
Health campaigns for HIV/AIDS and other infectious diseases could be expanded to include warnings about online disinformation regarding treatment and prevention. Such indirect approaches may result in improved health and cyber awareness in many developing countries, with citizens being encouraged, in health as in other realms, not to trust everything they read online.
There may be scope for more direct involvement by the WHO and other U.N. organizations to combat general misinformation in cyberspace. This might include policies and messaging campaigns that warn against internet “facts” and “fake news” in such realms as extremism and terrorism, or in regard to public mental or physical health.
The primacy of internet privacy should be reviewed when balanced against the functioning of health systems, ransom requests and hacking threats. The reality that we all, daily, trade personal privacy for the many instant benefits of internet use may mean that personal data privacy can no longer be held sacrosanct. Likewise, a reduced emphasis on data privacy will have significant potential benefits in preventing and containing future epidemics through ease in data sharing and tracking vectors in real time.
Many of the apps, organizations and companies that allow for untraceable hacking are based in the U.S. and Europe. Some of these, such as the Tor Onion Project, allow hackers to operate freely and anonymously during ransom efforts. Though these apps are framed as ways of allowing free and anonymous communication by dissident journalists and other noble causes via the internet, they also facilitate many dark web activities such as ransom, hacking, and human and arms trading. It may be necessary to review policies that allow for such criminal activities.
Technology-based solutions to cybersecurity issues are now essential. These include administrative, physical and technical protection of sensitive personal and health information and tighter national and international internet regulation to address internet-based misinformation.
Leadership prioritization of cybersecurity as an information technology problem in health care must change. This has rapidly become a patient-care threat that requires an enterprise risk management approach.
Controlling rampant cyber threats will take time — but with a multisector response employing the resources of all relevant organizations, progress can be made in bringing both a thrilling and a dark era of extreme cyber liberty to a close. We have learned that threats to personal health are taken seriously when presented by senior national and international health officials: there is no reason why the same set of principles should not be applied to the expanding cybersecurity threat and its nexus with global health.
This article originally was published in the July 2021 edition of the Daniel K. Inouye Asia-Pacific Center for Security Studies’ online journal Security Nexus. It has been edited to fit FORUM’s format.