In an era where healthcare operations are becoming increasingly digitized, the risks associated with cybersecurity are evolving at a rapid pace.
Traditionally, technology was seen merely as a tool to enhance the efficiency of healthcare operations. However, Christian Dameff, MD, an emergency physician and the medical director of cybersecurity at UC San Diego Health told Becker's that this view is outdated and overlooks the consolidation of critical health information into centralized digital systems, making them vulnerable to attacks.
"We used to think of healthcare IT as just another tool in the toolbox, but what we've done is built a brand new toolbox filled with digital tools," Dr. Dameff said. "Now, when someone steals our toolbox, we can't get the job done anymore."
He emphasized that the risk is no longer limited to breaches of protected health information, but extends to the very ability of healthcare providers to deliver care. Ransomware attacks, in particular, have demonstrated how cyberattacks can directly impact patient care by disrupting critical healthcare services.
Over the past decade, ransomware has emerged as a significant threat to healthcare systems across the country. According to Dr. Dameff, the frequency of these attacks has escalated to the point where it's now common to hear about a healthcare institution falling victim to ransomware on a weekly basis. The consequences are severe, often impairing the ability of healthcare providers to treat patients effectively and efficiently.
"No one today can honestly look at ransomware and say this is an issue that's entirely focused on protecting health information," Dr. Dameff said. "These attacks are impairing the ability of nurses and doctors to treat patients to the standard of care we're accustomed to."
Dr. Dameff acknowledged that most hospitals are ill-equipped to deal with ransomware attacks effectively. He pointed out that many healthcare organizations lack the necessary protocols, procedures and IT infrastructure to respond quickly to such incidents.
"The vast majority of hospitals do not have the necessary planning, drills or procedures in place to address the ransomware threat," he said. "This is a significant issue, given the impact these attacks can have on patient care."
Dr. Dameff suggested that there needs to be a greater emphasis on training frontline workers to handle cyber incidents, as well as a national-level response to support hospitals during these crises. He proposed that ransomware attacks should be treated similarly to natural disasters, with external response teams ready to assist healthcare organizations when their resources are overwhelmed.
Despite the challenges, Dr. Dameff remains optimistic about the future of healthcare cybersecurity. The FDA now assesses the cybersecurity of medical devices and will not approve those that do not meet certain standards, which Dr. Dameff sees as a crucial step forward.
"The success story of the FDA is one of the things that really brings me hope," he said. "If the FDA can do it, I have faith that other federal agencies and organizations can follow suit."
Dr. Dameff also noted the increasing attention that ransomware attacks are receiving from both the healthcare community and researchers. More studies are being conducted to understand the impact of these attacks on patient care, and Dr. Dameff believes that this growing body of evidence will lead to better strategies for preventing and responding to cyberattacks.