Did You Remember to Take Your PILLS?

By Christopher Frenz

While it has long been highlighted as a serious cause for concern by healthcare security professionals, the concern of a cyberattack leading to the death of a patient has now become a somber reality with the first documented case occurring recently in Germany.  (https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/). 

It is critical that anyone who works in a modern healthcare environment understands that technology has become deeply rooted in patient care and that, as such, protecting the technology we depend on for patient care has become a key enabler of patient safety.  Anything that results in a delay to patient care can result in adverse patient outcomes, and the loss of critical computer systems and the ability to access patient records and test results with a few clicks will certainly lead to delays in patient care.  Moreover, the WannaCry and NotPetya ransomware attacks of 2017 illustrated that it is not just desktop PCs and servers that are at risk, but that cyberattacks have the ability to impact medical devices as well (https://www.hipaajournal.com/wannacry-ransomware-encrypted-hospital-medical-devices-8811/).

These issues become even more sobering when one considers that a study that looked at ransomware attacks that occurred against US hospitals between 2016 and 2019 estimated that 6.6 million patients were likely impacted by these attacks (https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/). 

While none of the adverse outcomes suffered by any of these patients were directly attributed to the ransomware attacks themselves, one cannot help but wonder what the impacts on health outcomes were as a result of these attacks?  How many people suffered as a result of the delays in patient care that occurred?   While the answers to these questions may never be known, another important question that we need to be asking and finding answers for is – what can we be doing to ensure information security issues are considered as potential patient safety issues and addressed appropriately? 

One of the keys in addressing this question is to begin to get more and more clinical leadership involved in the information security risk assessment process so the relationship between information security and patient safety becomes more well understood and clinicians begin to view information security as a necessity and not just a nuisance.  In order to facilitate this involvement, I like to tell those involved in the risk assessment process to “remember to take their PILLS.” PILLS is a simple risk assessment framework that asks participants to consider the potential risks surrounding:

Privacy of Data: What ways can personal health information possibly be obtained from the information the device collects, processes, stores or transmits?

Integrity of Data: In what ways could information collected, processed, stored, or transmitted by the device be altered in an inappropriate way?

Loss of Availability: In what ways can a loss of access to the device, a loss of access to the devices data, or a loss of device function result?

 Life Safety: In what ways can a cyberattack contribute to a life safety issue?

Organizations should attempt to identify the risks associated with each of these categories by asking the above questions and thinking through the possibilities.  For example, when considering privacy issues, perhaps it is determined that a given system can be accessed with a default password that makes results easily viewable by anyone and not just those with the need to know. Likewise, a look at integrity issues may determine that the central station used to collect device data may not authenticate the devices before displaying the provided data which could lead to spoofed readouts or an availability analysis could determine that the legacy nature of a device makes it susceptible for encryption by ransomware.  Most importantly, however, is the identification of any risks that could lead to potential life safety issues.  While there is likely to be overlap with some of the risks identified in other categories (e.g. an integrity issue with an infusion pump could lead to an incorrect dosage), identification of these risks are critical as these are the risks that will pose the greatest potential risk to patient safety. 

After the various risks faced by a certain system or process are identified, it makes it easier to begin to determine which of the identified risks should be prioritized as posing the biggest risks to the organization and to the patients the organization cares for.  These are the risks that organizations should put the most emphasis on addressing.  Moreover, taking the time to identify the risks inherent in a given system or process is also a critical part of ensuring that the proper controls are identified and deployed to mitigate the risks in question.  As your organization begins to mature in its cyber risk management processes, it can begin to make the process more and more quantitative to better assess the potential likelihoods and impacts of risks as it prioritizes them. In the meantime, this simple framework provides a great way to get clinical staff and other hospital leadership outside of IT and InfoSec departments involved in the consideration of cyber risk.  While it will not be full stand in replacement for other cybersecurity risk assessment methodologies, such as FAIR, it provides a great way to get increased cybersecurity buy in from clinical leadership and is a great way to promote the understanding of the role cybersecurity plays in patient safety.  So next time, a new technology change, system, or process is being proposed, get the risk conversation going by asking the various stakeholder to “remember to take their PILLS”.