[00:00:00] Christian Dameff, MD: Hi again, I'm Dr Christian Dameff, emergency medicine physician and medical director for cybersecurity. Welcome to the second episode of our Cybersecurity for the Clinician video training series. When I was in medical school, I remember a few lectures and some basic training about the 1996 Health Insurance Portability and Accountability Act.
[00:00:26] You probably know it as HIPAA. This law, among other things, requires us to ensure the privacy of patient information. You may have also learned that HIPAA requires certain technical and physical controls to protect the security of patient data. If you trained before this law was enacted, you probably learned about it during mandatory training at your health care system.
[00:00:48] Perhaps you're learning about it now as a nursing or medical student. But good cybersecurity practices begin, not end, with HIPAA. Yes, HIPAA is a government regulation that your health care organization must remain compliant with. If your organization doesn't, and you suffer a data breach or a cyber attack, it can cost your organization money, reputation, and in some cases, even criminal prosecution.
[00:01:14] Maybe that's enough motivation for any organization to do the right thing, but we all know it isn't so easy. According to a survey by the American Medical Association, more than 80% of physicians have experienced some form of cyber attack in their clinical practice. And they recognize that HIPAA alone isn't enough protection to deal with cyber security threats.
[00:01:35] So what else should motivate an organization to strive for better cyber security? And what should motivate you? We emphasized in the last video that the most important motivation is patient safety. Let's consider health care cyber attacks and patient safety impacts on a national scale. The US government considers health care to be a critical infrastructure. The protection of which is a key national security priority. This places health care in the same category as electricity, internet, communications, water, financial services, oil, gas, and 10 other key sectors. And when you think about it, it makes sense.
[00:02:11] The public, the nation, all the way up to the President of the United States, depends on health care to keep us all healthy. So we don't just serve individual patients, we serve the public, and that gives our job a higher order of responsibility. Whether we care for patients directly or indirectly, we can think of health care as an ecosystem, one which includes the medical devices, pharmaceutical companies, it includes labs and blood banks.
[00:02:38] It includes health plans and payers, as well as health information technology companies, research, public health institutions. All of these parts of the system are interconnected and interdependent. Each link in that health care chain is only as strong as the weakest link. And when it comes to critical infrastructure, other key industries share similar complexities and vulnerabilities.
[00:03:03] We can use a common cybersecurity framework called the CIA triad to organize vulnerabilities into three categories. The C in the triad stands for confidentiality, the I for integrity, and the A for availability. Now you're familiar with confidentiality. It's the focus of the HIPAA law. Confidentiality is about protecting sensitive patient information.
[00:03:24] Billing and payment information and clinical trial data from folks who should not have access to that data. Integrity is another important cybersecurity priority. Ensuring integrity is about making sure that a cyberattack doesn't change data. Data must be accurate if we're going to act on it, especially important data like prescription doses, diagnoses.
[00:03:46] Blood type or medical device reading and safety limits. Imagine a patient's electronic health record was tampered with, resulting in the deletion of their allergy list. You can see how a patient can be harmed if given a medication they were seriously allergic to. And last, but certainly not least, let's talk about availability.
[00:04:05] What happens when an attack causes computers or medical devices to simply stop working? Or what happens when a ransomware attack removes your ability to read patient notes or look at medical imaging? Unfortunately, this has happened to too many hospitals. Industry leaders and government partners like the Department of Health and Human Services, the Departments of Homeland Security, and the FBI work together every day to identify cyber threats against the health care industry.
[00:04:32] These groups consider the best ways to prevent attacks and provide assistance responding when attacks are successful. As you can now see, this isn't just about HIPAA regulations. Some regulations can't keep up with constantly evolving threats, especially when they come from sophisticated adversaries such as other countries and governments.
[00:04:53] Our success depends in part on common sense protections that each of you out there can take. to protect your small part of this larger health care sector. Because one small mistake can ripple throughout this big ecosystem. And as clinicians in a complex, interconnected, critical industry, you share an important responsibility.
[00:05:15] Not just to your individual patients, but to the whole system. This may sound daunting, but you have a lot of support. Many of you have a security team in your hospital or clinic. And of course, your primary responsibility is taking care of patients, not single handedly ensuring the cybersecurity of your organization.
[00:05:35] But just as you wash your hands, and take other basic hygiene precautions before working on a patient, the same precautions apply to your IT and digital environments. Stay with us. In the next episodes, we'll tell you how.
Disclosure Statement: Unless noted, all individuals in control of content reported no relevant financial relationships.
If applicable, all relevant financial relationships have been mitigated.