× close
Credit: Pixabay/CC0 Public Domain
Last month's cyberattack on Change Healthcare should serve as a wake-up call for the healthcare industry to focus on securing its infrastructure, said Professor of Electrical and Computer Engineering at Northeastern University and White House cybersecurity advisor. Kevin Hu says. .
Recent attacks have affected online billing and revenue systems, but hackers have the potential to compromise medical equipment that provides life-saving medical care.
In fact, they're already doing that, Fu says.
He gives an example. In 2021, a hacker penetrated the infrastructure of his software provider Elekta. They penetrated the company's internal systems through the Internet and took the software offline.
“They shut down the private cloud, which effectively shut down all cancer radiotherapy machines around the world for about six weeks,” he says. “I think the industry learned a lot from that because it was one of the first victims of ransomware impacting real medical devices.”
But the threat remains, said Hu, a member of the President's Science and Technology Advisory Council working group.
Cloud technology is to blame, he says.
“As many medical device manufacturers begin to integrate cloud services into their products, I think we can expect entire medical device product lines to be brought to a standstill if they are not resilient to ransomware and other cyber threats.” Mr. Fu said. Privacy and data concerns.
So what does it mean?
First, he says, you need to be proactive rather than reactive.
“We're still in the early 'deer in the headlights' shock stage,” he says. “The right approach is to not only design systems that are secure, but resilient enough that even if ransomware infiltrates the cloud or all firewalls are compromised, critical services can continue to run unhindered. We know it’s about designing systems.”
Second, companies need to abandon so-called “boundary-based” thinking. This is a term used in cybersecurity that refers to using something like a virtual firewall or moat to protect yourself from intruders.
“Many businesses today, probably 99%, are thinking about firewalls and whether they are protected at borders,” Hu says. “But imagine, there are no boundaries. If you have a boundary-based mindset, you're going to have a very rude failure. What you want to do is if a piece of your software fails. But it’s about having resilient systems.”
“The industry needs to get rid of boundary-based thinking and move towards cyber-physical resilience,” he added.
Hu suggests healthcare providers take a look at the Joint Security Plan submitted by the Healthcare Sector Coordination Council for cybersecurity recommendations.
“The group has more than 400 contributing healthcare organizations comprising leading medical device cybersecurity experts,” he says.
Unfortunately for patients, there isn't much they can do other than continue to follow the advice of their healthcare providers.
“Americans should continue to trust the advice of their caregivers and clinicians, but if ransomware slows down procedures or disrupts basic workflows, the ability to do so can cause significant frustration.” The risk of an outage still exists,” he says.
Change Healthcare is a great example, he explains. The company is still dealing with the fallout from last month's cyberattack.
Although the company has resumed offering online billing and revenue services for pharmacies, some critical services, such as Medicare reimbursement, remain compromised, Hu said.
He pointed to the creation of a new website outlining the impact and scale of the attack.
“As the power outages continued, they basically said, 'We're not going to share this information anymore because there are too many power outages.' [here]“So they created a completely new website,” Fu said. “Also, the federal government realized that the outages were so large that they actually asked insurance companies to waive reimbursement requirements. It's unbelievable. It's so large. Change Healthcare's They’re going to change the rules just for the sake of it.”
Given the scale and impact of the incident, the U.S. Department of Health and Human Services has also launched an investigation into Change Healthcare.
The Change Healthcare situation could take weeks, even months, to be fully resolved, highlighting the complexity and fragility of the health system, Hu said.
“Healthcare is an incredibly complex collection of subsystems, all interconnected,” he says. “That's why it takes so long. There are so many systems, and according to his website for Change Healthcare, they process one in every three patients in the United States. This is a large amount to pay.
“As these power outages extend into weeks and months, they are causing unimaginable problems, including small clinics being unable to make payroll and rent.”
For more information:
Yan Long et al., EM Eye: Characterizing electromagnetic side-channel eavesdropping in embedded cameras (2024)
