The hack that shut down the Colonial Pipeline has most Americans worried about threats to the nation’s computer network. According to a recent surveyby Rasmussen Reports, 85 percent of Americans are at least “somewhat concerned” about the safety of the nation’s computer infrastructure.
Their concerns are not idle ones—they exist across vital sectors of the economy. Over the last decade, the health care industry has become increasingly vulnerable to ransomware attacks like the one we’ve just been through in the energy sector. Experts have been raising the alarm but thus far their warning cries have not received the attention they deserve.
That needs to change. Policymakers need to pay attention as these kinds of attacks become more frequent and more expensive. According to a study conducted by Comparitech, in 2020 alone 92 individual ransomware attacks occurred that cost an estimated $20 billion and affected over 600 separate clinics, hospitals and organizations and more than 18 million patient records.
Health care systems rely more and more on devices that use network-integrated software components. These machines—MRI machines, CT scanners and the like—are a vital part of 21st century health care. We cannot do without them so we must take steps to ensure they cannot be hacked. Unfortunately, despite growing vulnerabilities, hospitals and other providers are allowing cost concerns to create a serious security gap that could further jeopardize the integrity of certain medical devices, as well as health systems more broadly: third-party medical device servicing activities.
Online infrastructure must be protected from hackers who can cause life-saving technologies to crash with the push of a button. These technologies are essential to diagnostic and therapeutic services and for patient care. People literally cannot live without them yet it’s not clear they are being protected, especially when they need to be repaired. Problematically, these vulnerabilities are being studied just as intently by manufacturers and operators as they are by America’s enemies.
By way of example of how wide the problem may stretch, in contrast to repairs undertaken by the original manufacturers of the equipment, who are heavily regulated by the U.S. Food and Drug Administration and who operate within what are called “mandatory quality system requirements,” independent firms who compete in the same space at lower cost are generally allowed to operate without supervision. There are no applicable industry standards against which their work can be measured—yet their ability to do the same work cheaper makes them attractive to institutions like hospitals and clinics where cost is a primary concern.
The practical implications of this should be obvious. In an interconnected health care ecosystem which the United States has, devices and systems are constantly updating, requiring everyone from manufacturers to hospitals, doctors and clinics to those who maintain and service highly technical, life-saving devices to do their part to keep systems safe. There’s been some regulatory process recently that’s made things safer, but the job is not yet done.
Imagine if a foreign intelligence service stood up a company to repair medical devices or debug health care software for some of the nation’s biggest hospital systems. In that circumstance, the potential for chaos, even death, exists as does the chance private medical information of untold numbers of Americans could be compromised. Significant issues still exist where medical device servicing and aftermarket repairs are concerned. If an independent operator separate from the original manufacturer of a critical piece of interconnected medical hardware even inadvertently opened a backdoor to a threat by bungling a repair job or using a few unauthorized lines of code, the damage could be severe. No one likes the heavy hand of regulation, but in the interests of safety, some minimum standards are needed.
This is the kind of small issue that, when compared to his multibillion-dollar infrastructure plan, President Joe Biden could push for a solution in a bipartisan manner. He’s already issued an executive order on cybersecurity, but he needs to do more as does Congress. A thorough review of important systems that can be hacked, taken offline, or held for ransom is long overdue.
The danger is real, and the American people understand it, especially after everything we’ve been through during the pandemic. We know Russia, China, Iran and others are trying to hack our critical systems, and in a few cases, succeeded. This is a problem too important to ignore and Republicans and Democrats should come together to deal with it before it becomes a problem we can’t live with.