Public health increasingly facing cybersecurity threats: Health field a top target for attacks
==============================================================================================

* Kim Krisberg

In November, personal data from New Hampshire’s top public health agency was hacked and posted on social media sites. Health officials and partners acted quickly to take down the information and warn affected residents to monitor their finances for signs of identity theft.

The cybersecurity breach at the New Hampshire Department of Health and Human Services is still a fairly uncommon occurrence in public health, but experts say that the field’s level of readiness for such an event could make it an easy mark. While hospitals and health care systems work to beef up their defenses against cyberattacks, more hackers may see public health as a soft target.

According to a 2015 report from industry consultant Accenture, cyberattacks will cost U.S. health systems $305 billion in revenue and affect 1 in 13 patients in the next five years. In 2016, the Brookings Center for Technology Innovation reported that 1,500 health-related cyberattacks had exposed the personal information of more than 155 million Americans, with the cost of health care data breaches the highest of all industries.

![Figure1](http://www.thenationshealth.org/https://www.thenationshealth.org/content/nathealth/47/4/1.2/F1.medium.gif)

[Figure1](http://www.thenationshealth.org/content/47/4/1.2/F1)

Cyberattacks are predicted to cost U.S. health systems $305 billion in revenue and affect 1 in 13 patients in the next five years.

Photo by PeopleImages, courtesy iStockphoto

Steve Curren, MSFS, director for the Division of Resilience with the U.S. Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness and Response, said the health care industry is now the No. 1 target of cyberattacks.

“Part of that trend is better reporting on health care breaches, but it’s also an increased targeting of health care,” Curren told *The Nation’s Health.* “But one thing important to note is that this doesn’t just impact health care. It’s public health, too.”

Extracting a ransom is not typically the goal with a public health hack, though it is a common demand in health care. Instead, Curren said, hackers targeting health agencies are likely looking to steal personal data that can be used to defraud individual consumers. Public health agencies have information useful to cybercriminals, such as addresses, phone numbers and Social Security numbers. In 2016, he said there were at least four known cyberattacks against state and local public health departments that compromised nearly 800,000 individual records.

Most of the cyberattacks on public health were about stealing information, so the breaches likely did not impact the agencies’ operations. But attackers often target operations and infrastructure in health-related breaches, knowing that it is particularly difficult for facilities such as hospitals to experience any downtime at all, Curren said. Some attackers, for instance, have locked up a facility’s data systems in demand for ransom, while others flood a hospital or emergency call center with so many calls that the system freezes.

And it seems hackers are always looking for a softer target. Curren said it is probably not a coincidence that hospitals became a more popular target as the financial sector scaled up its defenses against attacks.

“Any all-hazards plan in this day and age should have a cybersecurity component to it,” Curren said. “It’s certainly a threat today and appears to be the threat of the future. We need to think through what are the potential attacks we face and what (are) the attacks our partners could face that could have a cascading effect on public health.”

Deborah Levy, PhD, MPH, former chief of the Healthcare Preparedness Activity at the Centers for Disease Control and Prevention, said “there’s definitely more bang for the buck on the health care side rather than the public health side” for cybercriminals, but an attack on a public health agency could have serious impacts to an agency’s work and reputation.

For instance, a breach of public health data could erode confidence in an agency’s ability to keep personal data safe — and because so much vital public health data collection is voluntary, trust is key. Then there is the integrity of public health data, said Levy, who now serves as chair and professor in the Department of Epidemiology at the University of Nebraska Medical Center College of Public Health. A hacker could say data had been compromised, and without proof to the contrary, research projects and datasets could be lost.

Levy, an APHA member, noted that CDC has identified 15 public health preparedness capabilities, including information sharing. In protecting that capacity, “it doesn’t work if just one entity is doing it — if only one side is paying attention to cybersecurity,” she said. Last year, CDC released a “Healthcare Organization and Hospital Discussion Guide for Cybersecurity,” to which Levy contributed, aimed at helping hospitals and health care systems protect themselves against cyberattacks. As for public health attention to the risk, Levy said she realizes that cybersecurity “is not going to be at the top of the list.” But she encouraged public health agencies to integrate cybersecurity into broader vulnerability assessments.

“Just as you want your internet technology systems to be resilient for everyday functions, you want it to be equally resilient for something like this,” Levy told *The Nation’s Health.*

![Figure2](http://www.thenationshealth.org/https://www.thenationshealth.org/content/nathealth/47/4/1.2/F2.medium.gif)

[Figure2](http://www.thenationshealth.org/content/47/4/1.2/F2)

In 2016, 1,500 health-related cyberattacks exposed the personal information of more than 155 million Americans, according to the Brookings Center for Technology Innovation.

Photo by Jxfzsy, courtesy iStockphoto

An even broader risk associated with a cyberattack is that “the public health system is inseparable from or linked to so many other sectors,” said Justin Snair, MPA, senior program officer for health security at the National Academies of Science, Engineering and Medicine, who spoke on his own behalf. For instance, he said a public health agency would be impacted by a cyberattack on an electrical grid, whereas an attack on the banking industry could impact a hospital’s payment processes and supply procurement.

“It’s that interruption of services that can really have a public health impact,” said Snair, who previously served as senior program analyst for critical infrastructure and environmental health security at the National Association of County and City Health Officials. “Our reliance on technology has been incentivized…and that’s good, but it also leaves us vulnerable.”

Snair said it is not only health-related data and systems at risk, but physical infrastructure, too. When Snair worked at the Acton Public Health Department in Massachusetts, he said lightning hit the sewer system and stopped the pumps. Fortunately, the problem was quickly fixed and the health department, which has oversight over the sewer system, had a response plan in place. But Snair said it highlighted just how much a community relied on computerized systems to run vital services.

“Not all threats are threats to data,” he said. “Some people just want to cause problems. They’re identifying soft targets, and health departments might be at risk because they could be viewed as soft targets.”

Like Levy and Curren, Snair said public health agencies should integrate cybersecurity into their all-hazards preparedness activities. As a fellow of the National Preparedness Leadership Initiative at Harvard University, Snair is part of a team researching the barriers keeping state and local health agencies from participating more in national discussions about critical infrastructure protection, including the threat of cyberattacks. He said that some state health agencies have either participated or have the ability to participate, while the issue is fairly absent at the local public health level.

Snair said that preventing a cyberattack takes technological knowledge, but it also means educating individual staff. Stopping an attack could be as low-cost as teaching and reminding staff to recognize email malware and phone calls fishing for security information.

“People are one of the biggest vulnerabilities,” Snair said. “So have operational security days.”

Cybersecurity has become a high priority for HHS in the last several years, Curren said. In 2015, President Barack Obama signed the Cybersecurity Act of 2015. Among its health measures, the law called for the formation of a task force to examine cybersecurity challenges in the health care sector and gather best practices.

The HHS Office of the Assistant Secretary for Preparedness and Response was charged with coordinating that task force, which first met in April 2016. As of this April, the task force was finalizing its report and recommendations for the health industry, and a final product was expected to be delivered to Congress in May. Also at the federal level, HHS awarded a grant in 2016 to the National Health Information Sharing and Analysis Center to help share information on health care cybersecurity and engage participation from smaller groups, including public health agencies.

Curren noted that HHS’ Critical Infrastructure Protection Program, which is under his division and focused on building resiliency within health care and public health, has traditionally focused on physical threats. However, the program is increasingly focused on cyberthreats, which “can have a national-level impact on health care,” he said.

To learn more about health and cybersecurity, visit [www.phe.gov](http://www.phe.gov).

*   Copyright The Nation’s Health, American Public Health Association