Cybersecurity issues in healthcare and threats to NICUs

One can not avoid discussing cybersecurity issues when discussing medico-legal risks in NICU. In the current day and age, any piece of equipment that we plug into an electricity outlet can be hacked. 

In addition, any device operated using the battery is likely to have the ability to connect to other devices and monitors and, therefore, can also be hacked. 

As a result, after a targeted ransom attack, whole hospital IT systems or some of their networks and devices may be inoperational (link to source). 

Reasons for the increasing number of security breaches in healthcare institutions are listed below:

• Increasing number of communication devices used by healthcare workers
• Many treatment devices and testing equipment need to connect to the central IT system
• Increasingly sicker population of patients that require continuous monitoring
• Financial constraints that health institutions have to deal with
• Lack of IT know-how among hospital administrators

Healthcare IT News cited a study that polled 600 health IT leaders. The survey showed that 43% of the studied population experienced a ransomware cybersecurity attack in their institutions. Furthermore, in 70% of cases, attacks contributed to delays in procedures and tests, and 36% of cases caused increased rates of procedure complications. 

Worse, 22% of leaders in affected institutions believed that the cybersecurity issue contributed to increased patient mortality rates. 

Several cases from the literature cite a cybersecurity attack as a significant potential cause of death. 

One case occurred in Alabama in 2019, where a ransomware attack on a hospital IT network contributed to a missed opportunity to diagnose early signs of fetus compromise and led to a delay in performing cesarean delivery. Subsequently, the baby required prolonged resuscitation, had brain damage, and died before the first year of life. 

Another patient died in Germany. After the cybersecurity issue, the Dusseldorf University clinic’s servers were encrypted, making all the information inaccessible, and doctors had to relocate a very sick patient to a hospital 20 miles away. That patient allegedly died due to a delay in treatment. 

Given how widespread cybersecurity attacks are, I am sure many more related patient deaths are not being reported as such. 

What is disturbing is the trend where some institutions minimize the significance of attacks, do not notify their providers and patients, or pressure their employees to continue providing medical care as usual (you can read here about such a situation that occurred in Alabama in the USA). 

They are hesitant to curtail the number of patients or refuse to treat acutely ill patients who will be most likely affected by impaired IT systems. 

As a neonatologist, I can not imagine being able to treat my tiny patients in level 3 or 4 NICUs affected by cybersecurity attacks. We monitor continuously all our patients, provide medications by IV pumps, order frequent digital X-rays or ultrasounds that must be viewed on monitors, and access laboratory results via computers. 

The only responsible step for a leader of a NICU or hospital is to attempt to transfer all critical babies treated in the NICU to other institutions able to provide uninterrupted and safe care. 

Below, I want to discuss steps that leaders and hospital employees should take to minimize legal risks from cybersecurity attacks. 

Prevention of cyberattacks in healthcare

• Large hospitals need to hire cybersecurity experts or follow industry standards developed by experts.
• IT leaders need to institute all required and recommended software and hardware updates and patches
• Proper training provided to all employees and contractors on cybersecurity issues
• Individuals should have only limited access to IT networks based on their job description
• Individuals should have limited access to hospital networks from outside location
• Employees should refrain from clicking on e-mail attachments or using private memory sticks on hospital devices

Managing the situation after the ransomware attack affecting the hospital or NICU

As a doctor and patient, I want always to be fully informed. Hospitals owe complete honesty to their employees, patients, and their families (my article on hospitals’ responsibilities and potential liabilities). Many patients would not want to risk a higher number of complications or long-lasting harm if they were given a choice. 

Experience shows that administrators and doctors need to take the threat of cyberattacks more seriously. Everybody must understand how IT issues impact the quality of care provided to patients. 

The government should pass a law penalizing hospitals that rely on outdated software and equipment, do not implement preventive actions, or avoid notifying patients about risks associated with ongoing cybersecurity attacks.