Cyber Security Threats to Public Health

Daniel J. Barnett, MD, MPHAssociate Professor

Department of Environmental Health SciencesJohns Hopkins Bloomberg School of Public Health

The Problem

• “Everything gets hacked” – Bruce Schneier

• HITECH Rollout

– Increased electronic healthcare infrastructure

– Minimal coincident healthcare security

• Healthcare as a “tantalizing opportunity” for cyberterrorism (Harries & Yellowlees 2013)

Blackouts…

…Chemical Spills…

…and Targeted Attacks?

Attack Scenarios

• EMR Data -> Targeted blackmail/broad-scale mistrust in healthcare

• Public Infrastructure -> Large-scale crisis

• Medical Devices and Hospital Infrastructure -> Direct attacks on patients and providers

Healthcare seems to “[lag] behind the other critical industries, mostly because of its diverse,

fragmented nature and a relative lack of regulation when compared with, say, the

energy industry.” (Colias, 2004)

What can we leverage?

Barnett, Kirk, Lord, et al., 2013

Health Care Delivery System

• Vulnerabilities

– Power/public utilities dependency (GAO, 2012b)

– Direct attacks/hacking (Kramer et al., 2012)

– Theft/loss of data

• Strengths

– Specialized skill sets

– Tested in stressful situations

– Used to coordinating complex workflows

Homeland Security and Public Safety

• Vulnerabilities

– Communication disruption in EMS (Kun, 2002)

– Overload of a physical attack + cyber attack (Gellman, 2002)

– Coordination is a challenge (Lord & Sharp, 2011)

• Strengths

– Scale

– Training

– Unique portfolio of force use

Employers and Businesses

• Vulnerabilities

– Ill-prepared for physical attacks

– Minimally-prepared for cyber attacks

– Part of medical supply chains (De Olivera et al., 2011)

• Strengths

– Diversity of industry

– Nexus for both production and centralizing citizenry

The Media

• Vulnerabilities

– Communications/utilities dependent

• Strengths

– Scope of reach and role as “legitimator” of information (Wray et al., 2004)

– Social media coordination capcity (DHS, 2012)

Communities

• Vulnerabilities

– Highly vulnerable to public health effects

– Lack backups and redundancies of other groups ( Clem et al., 2003)

– Social unrest possible (Choo, 2011)

• Strengths

– They’re our friends, neighbors and strongest allies when properly mobilized and informed

Academia

• Vulnerabilities

– Limited capacity to respond during an attack (Wray et al., 2004)

• Strength

– Tremendous capacity to prepare for an attack (IOM, 2002)

Governmental PH Infrastructure

• Vulnerabilities

– Subject to the same physical and cyber threats as other actors

• Strengths

– Can serve as a centralized actor and facilitator in public health emergencies

How do we convene these disparate groups to proactively and creatively mitigate our respective vulnerabilities, and develop resilient systems that utilize our unique strengths?

Our 2013 publication discusses a list of 10 recommendations for utilizing these resources...

…but we need more than publications on this topic…

…we need real, actionable solutions, and the means to implement them

Next Step

• Creation of a Common Resource Core

– A Public Health Cybersecurity Partnership

• A method for convening the public sector, the private sector and academia

• A nexus for understanding the threat landscape and implementing solutions

4 C’s

We need a resource that can:

- Convene all necessary parties

- Comprehend the threat

- Create the tools we need

- Collaborate on an ongoing basis

What Comprises the PHCP?

• Risk Analysis Resources Core

• New Tool R&D Group

• Evidence-Informed Training

• Inter-Institutional Exchanges

Step One – Haddon Matrix

22

The Haddon Matrix

Reference & Special Acknowledgements

• Barnett DJ, Sell TK, Lord RK, Jenkins CJ, Terbush JW, Burke TA. Cyber security threats to public health. World Medical & Health Policy 2013; 5(1): 37-46.

• Robert K. Lord, Johns Hopkins University School of Medicine

• Capt James Terbush, MD, MPH, USN (Ret.), Martin, Blanck & Associates

Thank You

• Questions?

• dbarnet4@jhu.edu

• (410) 502-0591