Embed Size (px)
Citation preview
Cyber Security Threats to Public Health
Daniel J. Barnett, MD, MPHAssociate Professor
Department of Environmental Health SciencesJohns Hopkins Bloomberg School of Public Health
The Problem
• “Everything gets hacked” – Bruce Schneier
• HITECH Rollout
– Increased electronic healthcare infrastructure
– Minimal coincident healthcare security
• Healthcare as a “tantalizing opportunity” for cyberterrorism (Harries & Yellowlees 2013)
Blackouts…
…Chemical Spills…
…and Targeted Attacks?
Attack Scenarios
• EMR Data -> Targeted blackmail/broad-scale mistrust in healthcare
• Public Infrastructure -> Large-scale crisis
• Medical Devices and Hospital Infrastructure -> Direct attacks on patients and providers
Healthcare seems to “[lag] behind the other critical industries, mostly because of its diverse,
fragmented nature and a relative lack of regulation when compared with, say, the
energy industry.” (Colias, 2004)
What can we leverage?
Barnett, Kirk, Lord, et al., 2013
Health Care Delivery System
• Vulnerabilities
– Power/public utilities dependency (GAO, 2012b)
– Direct attacks/hacking (Kramer et al., 2012)
– Theft/loss of data
• Strengths
– Specialized skill sets
– Tested in stressful situations
– Used to coordinating complex workflows
Homeland Security and Public Safety
• Vulnerabilities
– Communication disruption in EMS (Kun, 2002)
– Overload of a physical attack + cyber attack (Gellman, 2002)
– Coordination is a challenge (Lord & Sharp, 2011)
• Strengths
– Scale
– Training
– Unique portfolio of force use
Employers and Businesses
• Vulnerabilities
– Ill-prepared for physical attacks
– Minimally-prepared for cyber attacks
– Part of medical supply chains (De Olivera et al., 2011)
• Strengths
– Diversity of industry
– Nexus for both production and centralizing citizenry
The Media
• Vulnerabilities
– Communications/utilities dependent
• Strengths
– Scope of reach and role as “legitimator” of information (Wray et al., 2004)
– Social media coordination capcity (DHS, 2012)
Communities
• Vulnerabilities
– Highly vulnerable to public health effects
– Lack backups and redundancies of other groups ( Clem et al., 2003)
– Social unrest possible (Choo, 2011)
• Strengths
– They’re our friends, neighbors and strongest allies when properly mobilized and informed
Academia
• Vulnerabilities
– Limited capacity to respond during an attack (Wray et al., 2004)
• Strength
– Tremendous capacity to prepare for an attack (IOM, 2002)
Governmental PH Infrastructure
• Vulnerabilities
– Subject to the same physical and cyber threats as other actors
• Strengths
– Can serve as a centralized actor and facilitator in public health emergencies
How do we convene these disparate groups to proactively and creatively mitigate our respective vulnerabilities, and develop resilient systems that utilize our unique strengths?
Our 2013 publication discusses a list of 10 recommendations for utilizing these resources...
…but we need more than publications on this topic…
…we need real, actionable solutions, and the means to implement them
Next Step
• Creation of a Common Resource Core
– A Public Health Cybersecurity Partnership
• A method for convening the public sector, the private sector and academia
• A nexus for understanding the threat landscape and implementing solutions
4 C’s
We need a resource that can:
- Convene all necessary parties
- Comprehend the threat
- Create the tools we need
- Collaborate on an ongoing basis
What Comprises the PHCP?
• Risk Analysis Resources Core
• New Tool R&D Group
• Evidence-Informed Training
• Inter-Institutional Exchanges
Step One – Haddon Matrix
22
The Haddon Matrix
Reference & Special Acknowledgements
• Barnett DJ, Sell TK, Lord RK, Jenkins CJ, Terbush JW, Burke TA. Cyber security threats to public health. World Medical & Health Policy 2013; 5(1): 37-46.
• Robert K. Lord, Johns Hopkins University School of Medicine
• Capt James Terbush, MD, MPH, USN (Ret.), Martin, Blanck & Associates
