What Clinicians Need to Know about Cybersecurity

5 Questions with DCRI’s Chief Science and Digital Officer Eric Perakslis

Each year, hackers steal thousands of medical records from hospitals and health organizations.

Health systems face elevated threats from cyberattacks. A new perspective piece written by Duke Clinical Research Institute Chief Science and Digital Officer Eric Perakslis, PhD, and published in the New England Journal of Medicine (NEJM) offers a clinicians’ guide to cybersecurity. In “Responding to the Escalating Cybersecurity Threat in Health Care,” Perakslis offers actionable insights to help health care providers protect themselves and their patients from the threats of cyberattacks.

Q. When you think about cybersecurity, many people consider it to be an IT responsibility first and foremost. Why is it important to create a guide for clinicians?

A. Well, because I think most people think it’s an IT thing. In 2021, the number of medical records that were stolen exceeded the number of hospitalizations by 10%. That’s out of hand. So, the threat is off the charts. That’s the first thing. The second is that I think we’re doing clinicians a disservice by not preparing them. We prepare with fire drills, we prepare with active shooter drills, but they don’t know what goes on in a cyberattack. They just assume the IT people got it — and that’s not the way it should actually work.

Clinicians aren’t always aware of the downsides of the things they get involved in, and for the most part, they assume that it’s somebody else’s job to watch that. Well, we can’t watch that because the technology people don’t always know what’s going on. As an example, if you think about side effects, if you think of some of the most famous cases about medicine finding out about side effects later (for example Vioxx); they didn’t predict the type of cardiac toxicity that Vioxx had, and the reason is that they didn’t study it in hearts very much. Clinical trials are necessarily artificially limited experiments — real-world usage is always different. So, the side effects sometimes happen in the systems other than the system that you’re studying. And for medicine, this is exactly what happens when the side effect of getting your records stolen is you get arrested for Medicaid fraud, or your credit gets blown and you can’t get a mortgage.

Benefits of clinician training in cybersecurity incident response

Q. One of the recommendations in your paper is that clinicians should advocate for limiting internet-connected devices within their practice settings. What does this look like in a practical sense? What devices in a health care environment are best to have disconnected to reduce those risks?

A. I say that because the internet wasn’t built to be secure, it was built to be open. So, what that’s caused is lots of companies and manufacturers and devices kind of approach this that the default switch to the internet should be ‘on.’ I would argue that the default switch should be ‘off’, and you should only turn it on when you need to turn it on.

I wrote a blog in the British Medical Journal about “The Internet of Unsafe Things.” I want to say at that time they estimated that every inpatient was connected to something like 16 internet-connected devices — why? I think it’s because they can. Maybe the manufacturer wants to come in and push patches and updates — fine, don’t keep them connected to the internet. Have them schedule a window to open it up, push the patch and shut it back down.

Q. You identified in your paper that certain times are more likely to be vulnerable than others times in terms of cybersecurity threats. How can a clinician recognize when those times are?

A. It’s a funny question right now because we live in a time where every day the news seems worse than it was yesterday. I think we used to recognize when times were unusual. For example, look for:

  • Times of heightened conflict
  • Times of heightened controversy
  • Periods after your institution or department wins a big grant, or has a high-profile doctor on CNN

Do any of those things that draw a lot of attention to you, and it can potentially lead to the type of attention that you don’t want.

There are two types of adversaries:

  1. A criminal that is just trying to steal money. They’re just looking for easy pickings — if you’ve got three rottweilers in the front yard, the ADT sign in the door, people aren’t going to rob that house. They go down three houses where the guy’s window is open and he’s playing 60s music and he’s asleep — they’ll go in that house. So, when it’s easy, the criminals are going to come at you, they’re going to hit you when you’re down.
  2. The nation-state actors, and/or terrorist groups, the cyberwar type stuff, that’s usually more strategic, in line with something else. So, they may attack the energy grid just to get everybody to look at that while they’re sneaking into hospitals in the back door. If you look at what’s happened in Ukraine, almost every physical offensive was preceded by some form of cyberattack — trying to take their internet down, trying to take their telecommunications out.

Q. How should health care systems weigh the convenience and speed of accessibility of information used for patient care against keeping that information as safe as possible?

A. It’s an important question. I covered it a lot in my first New England Journal article. A banker can go in and pour a cup of coffee and spend 15 minutes logging through screens — a doctor can’t do that at the bedside. So, I think that’s one of the things that makes medicine so vulnerable — they must have ready access. At the same time, you don’t have to have all of it connected to the internet to do that. It needs to be connected in a room. I think the idea is that more closed, offline systems will still encourage care without adding risk to things.

Q. What are your recommendations to clinicians on cybersecurity and providing telehealth care?

A. I think they should understand that the environment is different. That talking to somebody in their house isn’t the same as having them in the office in front of you. You can’t see things — you didn’t get a chance to see them walk in to see if they’re limping, for instance. I also think that a lot of clinicians don’t think about the situational awareness of what that person’s life is like right there. They know when they’re in the clinic and the door is closed, they have a safe space. They can’t assume that with patients on the other side (of a screen).

Share