Healthcare cybersecurity "far worse than expected"

A senior executive at Merck & Co has told US lawmakers that cybersecurity is an acute issue in the healthcare industry, with more than a million health records exposed by breaches in recent years.

Terence Rice – who is chief information security officer at the drugmaker – told the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce this week that there is significant under-reporting of cybersecurity incidents, even though according to the 2016 IBM Cyber Security Intelligence Index healthcare was the single most attacked industry last year.

"We have observed cybersecurity researchers demonstrate how software vulnerabilities in insulin pumps and pacemakers could be exploited to cause a lethal attack, and we have witnessed entire hospitals in the US and the UK shutting down for periods of time to combat a ransomware infection on critical systems," he told the meeting.

At the moment, organisations are only asked to report cybersecurity incidents where personal health information is exposed, patient safety is compromised or the attack could cause a financially material event for an organization. The reality is that most incidents go unreported because of the potential harm to reputations.

Smaller companies which lack the resources to acquire the tools and services to prevent or even detect attacks are particularly vulnerable – and that applies to 90% of companies in the healthcare sector, said Rice. And at the same time, data is becoming increasingly portable, while software is increasingly penetrating the healthcare ecosystem and opening potential doors for attackers.

"Neither private industry nor the government can solve this problem alone; we must work collaboratively and transparently to reduce this risk," he told the lawmakers, noting that Department of Health and Human Services (HHS) should appoint a healthcare liaison officer to forge closer links with the private sector.

Rice would like to see closer collaboration between the HHS Sector Coordinating Council and the NH-ISAC – a coalition of more than 200 companies sharing intelligence and working on ways to secure big data – along with other public-private partnerships such as the SAFE BioPharma Association which developed a digital identity and digital signature standard.

That standard should be adopted by federal agencies and large healthcare firms to create a healthcare "ecosystem" that has the potential to not only significantly improve cybersecurity, but streamline business processes and "rationalize the current fragmented, redundant identity trust issue in healthcare."

Other measures could include recruiting departing military personnel to fill the estimated 200,000 open US cybersecurity positions, said Rice, whose full testimony and list of recommendations can be viewed here.

"If we are unsuccessful in these endeavours and we are unable to significantly reduce the cybersecurity risk that we face, we may delay or even lose the opportunity to utilize promising new health information technology that has the potential to save and improve lives around the world," he said.