[00:00:00] Christian Dameff, MD: Hi, my name is Dr Christian Dameff, emergency medicine physician and medical director for cybersecurity. Thank you for joining this video series on Cybersecurity for the Clinicians. This is the first of several episodes where we'll walk you through much of what you need to know about cybersecurity in the clinical environment.
[00:00:25] We'll explain how cyberattacks happen, what the impact can be on your organization, and most importantly, on patient safety. You will learn how to do your part to prevent cyber attackers from stealing health payment data, disrupting clinical operations, and ultimately harming patients. This introductory episode is called Cyber Safety is Patient Safety.
[00:00:47] Now you might be asking yourself, what is cybersecurity? And why do I need to know about it? That's not my job. My job is to take care of patients. And these are all great questions. And yes, your job is to take good care of patients. But in this age of digital health care, we must do so safely and securely.
[00:01:07] Consider this. Every day that you take care of patients, you are sending and receiving emails about them, entering their health prescription information into the electronic medical record, and connecting them to medical equipment locally or remotely. Other times you're handling payment and insurance information, or sending and receiving digital images such as X-rays.
[00:01:29] What is common among all these clinical activities is that in most cases they take place on computers connected to networks such as the internet. And while all this digital connected health technology greatly improves the quality and efficiency of care, it also makes health care systems and services vulnerable to cyber attacks.
[00:01:48] We'll give you examples of how these attacks happen in a minute. But please know that while your hospital, clinic, or larger health care institution may have someone in charge of the technical aspects of cybersecurity, there are a few simple things everyone who is interacting with patients needs to know.
[00:02:05] And do to prevent malicious hackers from harming a patient clinically or financially. First, let's look at how health care has been affected by cyberattacks. You might say this is what a malicious hacker sees in the health care system: a rich treasure trove of access points, essentially digital doors and windows to break into and steal information, extort money, and sabotage clinical operations.
[00:02:29] And often, they succeed. Did you know in the year 2021, the US Department of Health and Human Services received more than 700 reports of compromised health care data? More than 45 million patient records! That's a 40% increase over two years earlier, and 75% of these breaches were caused by cybercriminals.
[00:02:49] Many breaches result in steep fines, reputational damage, and class action lawsuits. The impacts can be extremely costly to your organization. You may have heard of ransomware. That's when a cybercriminal uses malicious software to encrypt or scramble important data like patient records, appointment schedules, payment systems, and diagnostic systems.
[00:03:12] And then they demand a payment, a ransom, to restore the information and the clinical and administrative operations of those. And someday you may find yourself right in the middle of one of these attacks. What would you do when: clinical workflows are disrupted, causing potential harm to patients? Payment systems are down? Stroke, trauma, cardiac, and other time sensitive services are compromised? Ambulances are diverted, causing potential harm to patients? Treatments for cancer patients, including surgery and radiation, are delayed? Medical records become inaccessible, and some may be permanently lost? You're unable to order or receive vital supplies?
[00:03:53] You cannot collect monies to fund operations. Hundreds of staff are furloughed, and protected health information and other sensitive data are stolen and published online. So how do malicious hackers execute these attacks? Let's look at a couple common techniques. The most common method is called email phishing, with a PH.
[00:04:13] Here's what happens. You receive an email from a trusted source, such as your boss or a colleague, and you open the attached file. Unfortunately, this fraudulent attachment is a trap, granting the cybercriminals access to the hospital network. Then, like a burglar roaming around a house unseen, they can secretly roam the hospital network, discovering where the valuable information and systems reside.
[00:04:37] After they complete their reconnaissance, they execute their attack, which may include stealing data, locking it up with ransomware, disrupting medical devices, and other damaging deeds. As technology evolves, and we continue to move to remote work environments, it is essential that cybersecurity becomes part of your daily awareness and routine.
[00:04:56] Whether you are practicing in the clinic, operating room, hospital, or administrative boardroom. It's also the law. The Health Insurance Portability and Accountability Act, also known as HIPAA, is not just a privacy law. It requires that medical establishments defend against any known security threat. And that means everyone in a health care provider organization who touches technology, who touches data, who touches patients, must be as aware of computer viruses as they are about biological viruses.
[00:05:25] We ask you to do your part to help your security teams succeed in defending your health care organizations from cyberattacks. In this eight-part series of short, five- to- six-minute videos, we'll cover the basics of what you need to know about how cyberattacks can harm patients, damage your systems, medical devices, and potentially even cause crippling costs to your organization.
[00:05:49] We won't get technical, but we'll give you simple precautions on how to perform your patient care duties safely and securely. So stay with us. We think you'll find it educational and engaging. And your patients will thank you.
Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.