Former CIA head: health care industry must quickly confront cybersecurity issues
Cybersecurity within the health care sector will only become a more dire issue for politicians and doctors alike as connected technology continues to expand, a panel of experts speaking at the Bipartisan Policy Center agreed Wednesday.
Former acting CIA Director Michael Morrell and former Homeland Security Secretary Michael Chertoff pointed to the rapid integration of smart technology into U.S. health care system since 2008, and they noted the sector’s exposure to ransomware, data theft and disruption of connected devices.
Devices such as network-connected pacemakers are vulnerable to hackers in three ways, Morrell said: through a vulnerable internet-connected network; by infiltration of the supply chain from manufacturers to hospitals; or through insider manipulation at health care facilities. The insider threat is the most direct and therefore more potentially devastating one, he said.
Expanding the conversation, he said cybersecurity across all sectors “is the second-biggest threat facing the U.S. after international terrorism, and it’s the fastest-growing threat — and the Internet of Things is contributing to that.”
While the panel acknowledged that there has yet to be a real-world case of a hacker successfully targeting a specific IoT health care device like a pacemaker, a lack of existing cybersecurity standards within the American health care system may ultimately provide the window a hacker needs to do so.
Morrell offered an example from his counterintelligence days to illustrate this point: “If I learned that an ISIS leader had a pacemaker, I’d be asking my guys how to get to it,” he said. Morrell was deputy director of the CIA from 2010-13, and that service included two separate stints as acting director.
The health care industry has been rocked by data breaches over the last few years, and 2017 provided no refuge for hospitals or insurance providers.
The ransomware virus known as Wannacry had a devastating impact on hospitals across Europe, shutting down operations completely if ransom was not paid. WannaCry also provided a test for the Health and Human Service’s new cybersecurity center in early 2017.
Despite the potential risks attached to integrating network-connected technology into health care, the panelists agreed that innovative health care solutions are necessary.
“Digital health and health tech are the answer to providing better health care globally,” said panelist Leslie Saxon, chief of the cardiovascular division at the University of Southern California’s Keck School of Medicine.
Patients should be aware of the cybersecurity risks affecting connected devices, and both hospitals and manufacturers must consider what the core function of any connected device actually is, Chertoff said. The priority needs to be on minimizing the threat of a potential breach, according to Chertoff, and one solution is a development cycle that focuses on security early on in the process.
Morrell urged senior board members in the private sector to proactively learn about cyberthreats and also to understand the severity of consequences when critical software vulnerabilities are left open.
Increased collaboration between health care device manufacturers will also be important in improving the hospital network security, said Medical Device Innovation Consortium CEO William Murray. By sharing cyberthreat intelligence, companies that are typically competitors can help improve digital security writ large, he said.
Because the government can’t be solely relied upon to develop policy that keeps pace with technological advancements, the private sector must develop a robust set of security practices, Murray said.