Is the US health care system a target for cyberterrorism?
December 19, 2012
The health care system in the U.S. is a $2.5 trillion industry and depends heavily on communication and the transfer of information via the Internet. This puts it at ever-increasing risk of a cyberterrorism attack, which could jeopardize lives and threaten patient care and privacy, the authors point out.
What Is the risk for Healthcare Targets?
The risk has become more acute in larger healthcare organizations such as hospitals, which have moved away from stand-alone workstations to more tightly integrated platforms attached to networks, according to the authors. It is now common for these networks to link a variety of IT workstations such as admissions, clinical laboratory, pharmacy, radiology, and the billing department.
Networks also connect the IT systems of an organization’s inpatient and outpatient settings as well as a variety of service organizations ranging from acute care to long-term care and home care.
These systems also have links to external networks, which connect and share information with patients, employees, insurers, and business partners. Areas of particular concern to healthcare-related facilities include the potential for cyberterrorism-related events to erase or alter computerized medical, pharmacy, or health insurance records.
If terrorists were to attack America’s healthcare IT systems, it probably would not be through the use of one major assault, but rather via a series of small incursions that are much more difficult to detect, the authors suggest. An example of this type of scenario was outlined recently in a cyberterrorism seminar at the University of California, Davis:
- Hackers use ‘‘phishing’’ e-mails to introduce four separate packages of malware into the hospital networks. Once planted, these packages trigger in sequence a few days or weeks apart. The first infects patient record databases and alters doctors’ orders, medication doses, and other information, spreading confusion and possibly causing illness and deaths.
- A few days later, the next program triggers, interfering with portable devices that nurses use to record patient information.
- The third wave attacks the software in intensive care unit monitors, altering the data display and switching off alarms.
- The fourth and final wave infects the software controlling drug infusion pumps and similar devices.
- After a few weeks of these rapidly changing, and different, attacks, the staff in the hospital has no trust in any electronic data, and the IT support staff is totally demoralized.