This past week, we saw a new development in healthcare cybersecurity that, sadly, has been on the cusp of happening for some time as ransomware and other cyberattacks continue to wreak havoc with the safe and effective delivery of patient care.
A lawsuit has been filed against an Alabama hospital alleging that the medical team’s inability to access critical fetal monitoring data and devices during a 2019 ransomware attack led to a baby’s death.
Under multiple causes of action cited, the lawsuit asserts departures from “the accepted standard of care” by wantonly or negligently:
“…failing to have adequate rules, policies, procedures, and/or standards related to cyberattacks, including, but not limited to, specific standards associated with disclosure to the public, disclosure to physicians, appropriate assessment and risk analysis, training of hospital personnel, identification of potential hazards, and/or taking action regarding patients who are at risk when hospital electronic systems are not operational.” [emphasis added]
Whether the plaintiff prevails, and the incident constitutes malpractice will be determined in due course. It’s not my intent to issue judgment here.
Patient safety is a theme in the lawsuit and in one specific case, it is asserted that “That the cyberattack on the hospital’s computer and network systems implicated, and placed at risk, patient safety.” Regardless of the lawsuit’s ultimate outcome, healthcare providers must acknowledge that cybersecurity is a patient safety issue and make the necessary investments to ensure the confidentiality, integrity, and availability of all data, systems, and devices that create, receive, maintain, or transmit patient data.
This lawsuit happens to be about a serious compromise of availability of all three – critical data, systems, and devices – potentially contributing to this devastating death.
Too many hospitals hit with ransomware try to hobble through these attacks, resorting to paper and pen, and other manual processes, not realizing the impact of clinicians not being able to quickly access critical and timely information contained in electronic health records, monitoring devices, and all other important systems.
Organizations that hobble have typically failed to perform two critical activities that get right to the heart of understanding impact. First, organizations need to conduct a business impact assessment (BIA) to prioritize clinical processes and the underlying data, systems, and devices that enable that clinical process. The BIA is a key input into the second action they must take – conduct a rigorous risk analysis of all those data, systems, and devices considering all reasonably anticipated threats to and reasonably anticipated vulnerabilities in protection of those assets.
Protecting information assets is not done in a one-size-fits-all or controls-checklist manner as some might suggest. Absolutely and ultimately, the right set of controls or safeguards must be implemented. Choosing the right administrative, physical, and technical safeguards must be based on the organization identifying and prioritizing its unique risks, setting its own risk appetite, and making reasonable and appropriate risk treatment decisions.
A most natural and common outcome of conducting business impact assessments and risk analyses is the development of a business continuity plan. Good business continuity plans provide resilience and minimize hobbling during attacks. No new healthcare initiatives involving data, systems, and devices should be approved without assurance that these basic business hygiene steps are undertaken.
In addition to conducting business impact assessments and risk analyses and developing business continuity plans ASAP, healthcare sector entities should assemble their C-suite and board ASAP and decide that enterprise cyber risk management is not “an IT problem” and not “a CISO or CIO” problem. It is an enterprise risk management issue. Let this tragic case be a call to arms.
Such events as the death of a baby have consequences that extend even to personal liability for C-suite executives and board members because of their duty of care and fiduciary responsibilities. I have been anticipating a cyber-driven medical malpractice lawsuit for years, I’m sad to say.
Right around the corner, I predict derivative lawsuits filed against healthcare C-suite executives and board members for failure to exercise reasonable diligence and their duty of care. We’ve already seen cyber-driven derivative lawsuits in the Target, Equifax, and Yahoo cases. Now that lives are at stake, expect them to follow in healthcare.
The discussion should not be limited to the potential devastating effects of a ransomware attack. Equally devastating outcomes can occur with a compromise of integrity of healthcare data, systems, and devices. Think of an attacker dialing up the morphine dosage on a patient’s wireless IV infusion pump in post-surgery recovery OR an attacker changing a patient’s blood type in the EHR system the evening before surgery OR an attacker removing cancerous nodules from a CT scan image resulting in a misdiagnosis and missed treatment.
And let’s not forget that external adversarial attacks are only one category of threats to healthcare data, systems, and devices. There are accidental threats, structural threats, and environmental threats that can result in equally devastating outcomes. Medical errors are usually cited as the third or fourth leading cause of unnecessary deaths in the U.S. annually. We should be asking the question: Without appropriate and concomitant attention to cyber risk management, has the digitization of healthcare accelerated or decelerated the rate of medical errors?
In any case, healthcare organizations must conduct rigorous, enterprisewide risk analyses on all their information assets to identify and prioritize their risks due to all reasonably anticipated adversarial, accidental, structural, and environmental threats. As we are now beginning to see, taking this critical action may very well be a matter of life and death.