Healthcare CEOs know all about patient safety – at least that’s what they’ll tell you. Joint Commission and others have been all over the subject for years. Ask them what 'patient safety' really means and most will probably start talking about how healthcare organizations protect their patients from errors, injuries, accidents, and infections. It’s a big issue. According to the Journal of Patient Safety, as many as 440,000 people die every year from preventable errors in hospitals alone. However, only a few healthcare CEOs will include cybersecurity in their list of top risks – but that is slowly beginning to change.
Today’s US healthcare payers, providers, and pharmaceuticals are under attack – from state-sponsored theft of healthcare IP, clinical formulations, procedures and treatment regimens, to the PII of patients including 78.8 million customers of Anthem Health, to the commercial theft and sale of PHI and PII by cyber-criminal gangs intent on the monetization of stolen data.
Operational & Reputational Risk
What many don’t realize is that cyber risk in a healthcare setting is not just about attacks against the confidentiality of information, but also the availability and integrity of health IT systems and data. Healthcare is a prime target for extortion and has been disproportionately impacted by bouts of ransomware impacting the availability of health IT systems to render care to patients.
Just look at the UK NHS when much of it succumbed to the global WannaCry ransomware attack in 2017. Nearly two-thirds of NHS Hospital Trusts were impacted and had to cancel appointments and divert all but the most critical of emergency patients elsewhere. Had the NHS understood the true magnitude of its cybersecurity risks and acted accordingly to patch and replace out-of-date systems, then the negative impact to the lives of many of its patients could have been avoided.
I’m sorry, the doctor can’t see you at the moment – our IT systems are down!
So what happens to patient care when critical health IT systems aren’t available to diagnose or treat patients? Their surgeries get cancelled, or they get put in an ambulance to an un-impacted hospital 40 or 50 miles away. That’s where the patient safety question comes into play.
What is the impact to a sick patient when he or she has to be transported an hour or so to a functional hospital? What if that patient happens to be several hours drive away, or needs a flight to the nearest unaffected and available facility and expires en-route? What is the level of culpability for healthcare providers when they fail to properly evaluate and protect against availability risks to their IT systems? There is a fairly obvious duty of care for patient safety so shouldn’t that extend to the availability of health IT systems needed to treat patients? Should hospitals be held accountable in the same way that we hold retailers accountable when they fail to protect their credit card payment systems?
Modern healthcare is highly dependent upon the clinical IT systems they use to diagnose and treat patients. What happens when a Pyxis cabinet won’t open to dispense critical medications? What happens when a pharmaceutical robot dispenses the wrong medications for a patient and the mistake is not noticed by overworked staff? Our reliance today upon IT and healthcare IoT systems is perhaps more than most physicians would willingly admit.
Primum non nocere (First, do no harm)
Making cyber risk a critical part of enterprise risk across the healthcare industry should be a must, given the potential risks to patient safety – just as evaluating and assessing all assets on the clinical business should be, too. The sooner hospital boards wake up to this reality, the better – and the sooner operational and reputational risks that directly impact patient safety can be minimized.