This past September, the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency published a report designed to assess the health of the nation’s hospitals and health systems.
Perhaps unsurprisingly, the report, “‘Provide Medical Care’ is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm,” doesn’t offer encouraging news.
It finds the nationwide infrastructure enabling provision of medical care – one of CISA’s 55 national critical functions – severely strained by the COVID-19 pandemic and the resulting clinical, financial, workforce and supply chain challenges.
The concurrent cyber-pandemic of rampant ransomware and nation-state skullduggery has only compounded the difficulties faced by providers.
As the report notes: “Beyond the obvious consequences of disruptions to diagnostic, testing and treatment equipment, even minor reductions in efficiency caused by cyber-incidents compound to increase staff workload and degrade the system’s ability to provide medical care.”
At the upcoming HIMSS Healthcare Cybersecurity Forum, which kicks off next Monday, a CISA researcher will unpack the recent report – and offer some suggestions for how his agency can support struggling healthcare organizations.
To preview his session, “Healthcare is in Critical Condition,” Josh Corman, who has long IT security and public policy experience in the private sector and joined CISA this past year under the CARES Act as a senior advisor and strategist, spoke with Healthcare IT News about the report and what it means.
“We do regular, routine analysis of risk to the nation’s critical infrastructure and national critical functions throughout the pandemic,” Corman explained, noting that the assessment is both qualitative and quantitative. “This analysis is done for government stakeholders and decision-support within CISA, DHS and across agencies like HHS and CDC.”
Like many of the 55 other national critical functions during this time of upheaval – they include operate government, generate electricity, provide wireless access network services and maintain access to medical records – the NCF known as provide medical care “has been severely strained, stressed at various points throughout the pandemic.”
Aimed at various stakeholders – hospital leaders, healthcare providers, cybersecurity and IT professionals – the report explores several matters that most who have experienced the past two years “suspected or possibly or probably thought were intuitive,” Corman said. “But now we’ve got some hard data to show the impacts that are affecting their organizations.”
The report explores several areas of stress and strains for providers. For instance, Corman explained, “We have the first data sizing of the relationship, the correlation between IC bed utilization and excess deaths two, four and six weeks later.”
“It’s a novel set of findings, and it’s much different than, say, pre-pandemic excess death rates by sizing the shape of that curve. We hope to make sure that people who are making choices about hospital utilization are armed with this newer consequence information.”
The strains on the care delivery system – and the excess deaths they cause – can have severe upstream effects on broader infrastructure, workforce and, potentially, national security.
“An analysis of these excess deaths on top of COVID-19 death reveals some interesting demographic slices – one of which is that one of the fastest growing groups affected by these non-COVID-19 excess deaths from degraded and delayed care are 25-to-44-year-olds,” Corman explained.
“We also have an ethnicity breakdown; that demographic is fairly representative of the nation’s critical infrastructure workers. So critical functions can be impeded by sickness and death of the workforce. In some cases, for highly specialized talent, we can’t really [just] hire more people. It can take five, 10, 15 years to train and backfill the strategic workforce.”
The goal, he said, is “inform state and local leadership on some of the impact – not just to their citizens, which is, of course, important, but also to identify and track and manage risk and reduce risk to the national functioning of the country for things like transportation, water, food production, medical supplies and the like.”
No question, the pandemic has been a stressful time for the healthcare system and has presented significant challenges that have often compromised patient care.
But here’s another question: Can cyber-disruption make it worse?
“I think everyone intuitively knows that water is wet and fire is hot,” said Corman. “And that degradation can affect patient outcomes irrespective of cause.”
By way of example, he pointed to a study that explored (non-cybersecurity) disruptions to healthcare delivery, a New England Journal of Medicine article studied the effects of traffic disruptions caused by major U.S. marathons and assessed how they affected heart attack prognoses.
“They saw that the 4.4-minute-longer ambulance ride to get around the marathon route has a statistically significant increase in mortality 30 days later.”
Throughout the pandemic, in the U.S. and abroad, “unscrupulous ransom actors were targeting and hitting us hospitals pretty hard.”
In at least one case, and possibly others, we’ve seen how cyberattacks can lead to patient deaths.
“Armed with the elevated case rates and hospitalizations of the pandemic as a baseline, we were able to lean in and try to study this national experiment of protracted service disruption in hospitals,” said Corman. “The team asked, can cyber [attacks] make it worse? And the answer is yes.”
As he explained: “The way we measure that is, if we have now an instrument for measuring hospital strain associated with excess death two, four and six weeks on one hand, what we’re able to do is for some of these protracted victims, we could take a very close look for many months after an attack and in the same geography, controlling for things like the size of hospital, the type of hospital, the size hospital in the observation period across a statistically significant sampling, we can compare head-to-head with the same geography, same population, same time period of the pandemic.”
With head-to-head comparisons, said Corman, “you now are able to contrast the effects of cyber-disruption to introduce delayed integrated care sufficiently high enough to be in our danger zone for excess deaths two, four and six weeks later.”
HHS and the FDA “have said for many years that cyber safety issues are patient safety issues,” he said. “But there’s been a reluctance in the field to really reconcile and rectify what we many of us intuitively have known to be true – that, yes, delayed and degraded patient care from any cause – power outages, marathons and, yes, cyberattacks – can contribute to worsen outcomes and even excess deaths.”
So, what to do about it
Corman is the co-founder of I Am The Cavalry, which describes itself as a “grassroots organization focused on the intersection of digital security, public safety and human life.”
According to its motto: “The cavalry isn’t coming. It falls to you.”
But that’s not to say there’s no helping hands out there.
And Corman emphasizes that “CISA, the newest federal agency, is here to be your cyber-defender.”
Toward that end, several resources highlighted in the report are designed to arm healthcare professionals “with new data and motivation to go to their stakeholders and encourage them to maybe sign up for some of the free, taxpayer-funded services from CISA, like our Cyber Hygiene Services.”
Another educational resource is its CISA Bad Practices page, designed to highlight “exceptionally risky” habits such as the use of unsupported (or end-of-life) software, known/fixed/default passwords and credentials, and, of course, reliance on single-factor authentication.
“We want stakeholders to avail themselves of ‘left of boom‘ services and advice from CISA – meet the local regional CISA team, their cybersecurity advisers, perhaps – and, ‘right of boom,’ for them to know who to call with resources like StopRansomware.gov and other things, so that they have a plan in place before [they face] harm and can maybe mitigate and recover more quickly from harm.”
Josh Corman’s HIMSS Healthcare Cybersecurity Forum session, “Healthcare is in Critical Condition,” is scheduled for Tuesday, Dec. 7, at 11 a.m.