This article was originally published in the Summer 2023 issue of NACCHO Exchange. It is being run here in recognition of Cybersecurity Awareness Month. Click here to access the full issue of NACCHO Exchange.
By Leanne H. Field, Ph.D., Clinical Professor; Founding Director, Public Health Program, The University of Texas at Austin; Chair, Public Health Subsector, Health Sector Coordinating Council, Cybersecurity Working Group; Robert Bastani, CISSP-ISSMP, CISM, CRISC, Senior Cyber Security Advisor, Co-Chair of Healthcare and Public Health Joint Cyber Security Working Group, Administration for Strategic Preparedness and Response (ASPR), Department of Health and Human Services (HHS), and Greg Garcia, Executive Director, Cyber Security, Health Sector Coordinating Council
This special issue of the NACCHO Exchange is dedicated to the National Health Security Strategy (2023–2026) developed by the Administration for Strategic Preparedness and Response (ASPR), U.S. Department of Health and Human Services (HHS).1 The goal of this national strategy is to provide a “whole-of-nation approach to prepare for, protect from, respond to, and recover from the adverse health effects of public health emergencies and disasters.” One of the important issues highlighted in the report is the threat of cyberattacks from threat actors at home and abroad. These unrelenting attacks not only put individuals’ data at risk and can cause irreparable harm to patients in healthcare settings, but they also threaten the delivery of essential public health services, including emergency responses, by state, local, tribal and territorial (SLTT) public health organizations.2
Cyber threats to the healthcare and public health sectors are expanding.
According to the HHS Office for Civil Rights,3 which enforces Health Insurance Portability and Accountability Act (HIPAA) data breach reporting:
- Healthcare data breaches of 500 or more records (name, address, medical and financial records) increased from 329 to 715 between 2017 and 2021, with the number of individuals affected ranging between 20 million and 50 million.
- In 2022, there were 707 data breaches, more than half of which occurred against third party business associates.
- Of the 52 million data records exposed in 2022, 43.9 or 84% were caused by hacking.
And according to IBM’s Cost of a Data Breach 2022 report:4
- For the 12th year in a row, the health sector had the highest costs for a data breach, followed by financial, pharmaceuticals, technology, and energy.
- The average breach cost in healthcare increased by nearly $1 million and is now $10.1 million.
- Costs have also increased over 40% in the last two years.
Finally, according to the Journal of the American Medical Association (JAMA) Health Forum, from 2016 to 2021:5
- 374 ransomware attacks on U.S. healthcare delivery organizations exposed the protected health information of nearly 42 million patients.
- The annual number of ransomware attacks more than doubled from 43 to 91.
- Almost half of ransomware attacks disrupted the delivery of healthcare, with common disruptions including electronic system downtime, cancellations of scheduled care, and ambulance diversion.
As the numbers above make clear, cyber threats that directly impact public health organizations are not theoretical. In December 2021, a cyberattack caused the Maryland Department of Public Health to take its website offline for days, disrupting COVID-19 response and other routine public health services.6 In August 2022, the Fremont County Department of Public Health and the Environment in Southern Colorado and other government services were closed for nearly a month following a ransomware attack.7
The healthcare and public health ecosystems are digitally connected, and these connections introduce new vulnerabilities into the data systems and surveillance networks that are vital to rapidly detect threats and launch effective responses. Working with the Association of State and Territorial Health Officials (ASTHO), National Association of County and City Health Officials (NACCHO) and Big Cities Health Coalition, the CDC Foundation is leading an important new, post-COVID-19 initiative to modernize data across the federal and state public health landscape, with the goal of facilitating the secure, interoperable movement of data and ensuring accurate and rapid response to emerging infectious diseases and other threats to our country.8, 9 Keeping this vital information flowing and safe from cyberattacks is essential to the United States’ health security.
The vision of the NHSS is for our country to work collaboratively “across sectors to be secure, resilient, and adaptive in the face of emerging and evolving health security threats.”1 One of the guiding principles of the strategy is to form inclusive and strategic partnerships “to bring together the best minds and resources to advance health security capabilities.”1 In the past five years, new partnerships have been formed or accelerated between the private and public sectors, and these have strengthened the country’s preparedness and response, and the ability to build resiliency to cyber incidents.
Most prominent among these partnerships is the collaboration between HHS and the Healthcare and Public Health Sector Coordinating Council (HSCC) and its Cybersecurity Working Group (CWG). The CWG involves around 400 health providers, medtech, pharmaceutical, health IT, and payer companies working together and with government to identify and mitigate ongoing systemic cybersecurity threats to the sector and patient care.10 HHS is part of a federal network of critical infrastructure agencies coordinated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in a national strategy to ensure the security and resiliency of the nation’s 17 critical sectors including healthcare, IT and telecommunications, energy, financial services, water, transportation, and others.11
In October 2022, in response to the need to strengthen state, local, tribal, and territorial (SLTT) resilience and preparedness against cyberattacks, the HSCC CWG issued a Call to Action to form a new joint public-private Public Health-Cybersecurity Task Group (PH-CTG) to identify strategies for strengthening the awareness and management of cybersecurity issues in SLTT organizations. The task group is being co-led by Leanne H. Field, Ph.D., Chair, Public Health Subsector, HSCC Executive Committee and Clinical Professor and Founding Director of the Public Health Program, The University of Texas at Austin, and Bob Bastani, CISSP, CISM, CRISC, Senior Advisor and Co-Chair of the Health and Public Health (HPH) Government Coordinating Council (GCC) and Joint Cyber Working Group, Healthcare and Public Health Sector, Critical Infrastructure Protection, ASPR, HHS. The new task group, which kicked off in February 2023 with more than 50 volunteer members, has several concrete goals, including:
- Summarize the scope of practice of the SLTT organizations;
- Work with leaders of public health professional organizations [ASTHO, Association of Public Health Laboratories (APHL), NACCHO, and Big Cities Health Coalition], and key government agencies [CDC and Indian Health Services Agency] to investigate the current cyber preparedness and response capabilities of SLTT public health organizations, summarizing patterns and trends;
- Explore how private-sector capabilities can be utilized to improve the cybersecurity posture of public health;
- Provide recommendations for improving the cybersecurity readiness of the SLTT public health community;
- Identify potential policy and regulation enhancements;
- Explore investment opportunities through funding, including grants to improve the cybersecurity and resiliency of the public health infrastructure;
- Document available cyber resources that could benefit public health communities, and
- Deliver a report of task group findings to the HPH Sector Coordinating Councils of the HSCC and CGG, CWG, including action plans for next steps.
On November 15, 2022, senior leadership of NACCHO, ASTHO, and Big Cities Health Coalition wrote a letter to the Secretary of the U.S. Department of Health and Human Services to highlight the urgency of including public health in cybersecurity initiatives. The letter observed that while nearly all local health departments (LHDs) have expressed concern about the impacts of the cybersecurity threats to their communities, only a small percentage are adequately prepared to respond to major threats. The letter stated that while the federal government has rightfully recognized the need to strengthen cybersecurity across a range of industries and sectors, cybersecurity efforts should consider the unique needs of health departments of different jurisdictional levels and sizes (i.e., state, local, tribal, and territorial), as well as health departments in both rural and urban settings.
The letter further encouraged HHS to work with other federal partners, including CISA, as part of a cross-agency collaboration to impress upon its federal partners the importance of engaging with local and state health department partners.
To date, the PH-CTG has held six meetings and task group members have heard from leaders of multiple professional public health organizations, including NACCHO. Dennis Small, Senior Advisor for IT, is NACCHO’s representative to the task group, and he and Sara Black, Senior Advisor, have presented to the task group members about NACCHO’s strategic priorities, federal policy priorities, and key issues for LHDs in 2023. Black also highlighted findings from the 2018 Preparedness Profile Assessment12 and the 2022 Preparedness Profile Study Preview Report13 that provide some data about the preparedness of local public health agencies to respond to cybersecurity incidents. Both reports gathered information from a statistically representative sample of preparedness coordinators, individuals at LHDs who have “significant responsibility for leading or coordinating a LHD’s disaster/emergency preparedness planning and response activities.”12,13 In both reports, the size of populations served were stratified into small, medium, and large LHDs.
The 2018 report positively highlighted that while LHDs focused on community preparedness activities including infectious disease, emergency risk communications, and medical countermeasure dispensing, less than 25% of LHDs reported carrying out training and exercises for cybersecurity, critical infrastructure issues, and terrorist threats.12 Similar findings were reported in the 2022 Preparedness Profile Study Preview Report, in which 37%, 51%, and 55% of LHDs reported no activities related to cybersecurity, critical infrastructure protection, and terrorist threats, respectively.13 Both reports indicated that smaller LHDs were more likely to report no activities than larger LHDs.
Based on these findings, there are clear opportunities for SLTT agencies to increase their preparedness to meet these rapidly evolving threats by building new and effective public and private partnerships with organizations that have expertise in cybersecurity and critical infrastructure protection. It is the goal of the PH-CTG to work with NACCHO leadership and NACCHO members to not only strengthen the awareness of the threats among LHDs, but also to suggest new strategies and recommend new resources that can address these threats. The task group’s goals align well with the goals of the NHSS to work across sectors “to be secure, resilient, and adaptive in the face of emerging and evolving health security threats.”1
We welcome participation by any member of NACCHO who would like to join us in this important effort to strengthen the preparedness and resiliency of LHDs, which are on the front lines to protect local communities across the country.
For more information, see https://HealthSectorCouncil.org or contact Mr. Garcia at [email protected].
References:
1 National Health Security Strategy 2023–2026. ASPR. https://aspr.hhs.gov/NHSS/National-Health-Security-Strategy-2023-2026/Pages/default.aspx
2 Essential Public Health Services. Centers for Disease Control and Prevention. https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html
3 HIPAA Data Breach Report to Congress. HHS Office for Civil Rights. https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf
4 IBM’s Cost of a Data Breach 2022 report - a million-dollar race to detect and respond. IBM. https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700072379268646&p5=e&gclid=EAIaIQobChMItKH9xpXQ_wIVPTXUAR1oigtZEAAYASAAEgKyc_D_BwE&gclsrc=aw.ds
5 (2022). Neprash, H.T., C.C. McGlave, D.A. Cross, et al. Trends in Ransomware Attacks on US Hospitals, Clinics and Other Healthcare Delivery Organizations, 2016 – 2021. JAMA Health Forum 3(12):e224873 https://jamanetwork.com/journals/jama-health-forum/fullarticle/2799961
6 (January 8, 2022). Maryland health workers, lawmakers want answers as problems persist a month after cyberattack. Washington Post. https://www.washingtonpost.com/dc-md-va/2022/01/08/cyberattack-still-disrupting-maryland-department-of-health/
7 (August 17, 2022). KRDO News. Fremont county government services closed due to a cybersecurity breach. https://krdo.com/news/2022/08/17/fremont-county-government-services-closed-due-to-a-cyber-security-breach/County Government Services
8 Examples of Our Current Data Modernization Work. CDC Foundation. https://www.cdcfoundation.org/datamodernization/current-work
9 Accelerating Public Health Data Modernization Through Public Private Partnerships. CDC Foundation. https://www.cdcfoundation.org/pr/2023/CDC-ONC-Industry-Days
10 Healthcare and Public Health Sector, Cybersecurity Working Group. https://healthsectorcouncil.org/
11 Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/
12(December 2018). The Public Health Emergency Preparedness Landscape- Findings from the 2018 Preparedness Profile Assessment. NACCHO. https://www.naccho.org/uploads/downloadable-resources/2018-Preparedness-Profile-Report_external_final.pdf
13 (2022). Preparedness Profile Study Preview Report. NACCHO. https://www.naccho.org/uploads/downloadable-resources/2018-Preparedness-Profile-Report_external_final.pdf