Cybersecurity and health: more related than you think



Cybersecurity and cyberattacks are now part of our daily life.  They’ve emerged as the plot drivers of movies like Blackhat and TV shows like CSI Cyber. And it seems like everyone, from retailers to employers to banks to moms to movie companies, is getting hacked these days.

These events are alarming and damaging but they’ve mostly centered around the stealing, sharing and selling of information. Importantly for the healthcare industry, the switch to electronic health care records has created a data repository ripe for attacks. As I’ve heard friends in the cyber business say, “If you can imagine it, you can probably do it.” In the coming year, hospitals and healthcare systems will likely become even more of a target for attacks on their digital infrastructure.

However, these aren’t the only types of cyberattacks that are happening. A recent GAO report has detailed an incident that occurred in 2009, when malicious code was loaded onto a Dallas-area hospital’s computers by a security guard.  In 2013, 256 cyberattacks on critical infrastructure were reported to DHS. This includes energy companies, water utilities, and other industries that support the necessities of everyday life. You can bet on a couple things with this number: 1) it is greatly underestimated since companies often are hesitant to report attacks or may not even know that they have happened; and 2) it’s grown even bigger this year.

Increasingly, these attacks aren’t confined to the digital world; they can also cause physical damage. For instance, the affected computers in Dallas controlled heating, ventilation, and AC for two floors in the hospital and could have affected patient’s medications and treatments. The Stuxnet worm caused nuclear centrifuges in Iran to spin out of control and break while an attack on a German steel mill caused “massive” damage by disrupting the shut down of a blast furnace.  

While this type of damage itself could cause significant individual health effects, the loss of critical infrastructure could be catastrophic to public health. People rely on water, electricity, sewage, industrial safety systems, and other parts of critical infrastructure to keep them healthy and safe in their everyday lives. A 2013 journal article about the 2-day power outage in New York reported a statistically significant spike in deaths during that time period. During the blackout, total mortality rose by 28%.

Public health officials could be called upon to respond in a variety of ways. If electricity were to be cut in the middle of a heatwave or cold snap public health workers would need to set up cooling or warming stations. If the water supply was compromised, public health may need to help provide citizens with clean water. In fact, public health surveillance systems may even provide the first indication that something has gone wrong, since these systems track increases in illness and hospital visits.

So when we consider cybersecurity and cyberattacks in the future, it’s important to take a public health perspective. The health and wellbeing of real people are at stake.  When you really think about it, you can recover lost data but you can’t recover lost lives.