We need mandatory HCP cybersecurity education and training

When I was a medical student and resident, I learned nothing about cybersecurity. When I was a faculty member, I neither taught nor learned anything about cybersecurity. In fact, the extent of my digital health knowledge, skills, attitudes and competencies amounted to remembering the username and passwords for 5 different EMRs in our affiliated hospitals so we could pull up records when we were on call. God forbid if we didn't know the CBC on Mrs. Anthony at morning report.

Now I am learning that hackers can corrupt AI imaging algorithms.

An Illinois hospital will shutter its doors in part because of a devastating cyberattack, which experts say makes it the first hospital to publicly link criminal hackers to its closure.

Now we have a tridemic-COVID, the flu and software viruses, malware and ransomware. The root cause of each is that people are not doing what public health and security experts have recommended to prevent, mitigate and respond to breakouts. Add measles, and there are , arguably, four viruses.The results?

A recent survey by Imperva revealed that one in 10 healthcare organizations has paid a ransom. Tens of millions of patients have had their information compromised by these cyberattacks. In June of 2019, the American Medical Collections Agency elected to file bankruptcy after exposing the records of 25 million patients. Of the 948 entities impacted by ransomware attacks in the United States, 759 were healthcare providers, at a potential cost in excess of $7.5 billion.

There have been over 10 million COVID cases in the US and surging.

The number of measles cases increased 556% from 132,490 in 2016 to 869,770 in 2019, the most reported cases since 1996.?

For healthcare organizations — from small practices to large systems — devising actionable, well-defined cybersecurity strategies is imperative as cyberattacks against the healthcare industry and their associated costs continue to grow. Atop the list of strategies, perhaps at the pinnacle, is developing and executing a robust cybersecurity training program for staff members.

A survey of more than 600 healthcare professionals (HCPs) conducted by Merlin International and the Ponemon Institute revealed that about half of the participants felt that “lack of employee awareness and training affects their ability to achieve a strong security posture;” almost three-fourths of participants “cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.”

?In 2017, for the first time, the FDA recalled?an implantable pacemaker?because of concerns that it could be hacked. And in October 2018, after hackers showed they could remotely manipulate another popular pacemaker, the manufacturer temporarily?shut down?part of its Internet network while working to secure the devices.

So, how do we close the healthcare professional cybersecurity education and training gaps?

Maybe we should take a page out of the DARPA playbook.

The Biden budget includes funds to Launch the Advanced Research Projects Agency for Health (ARPA-H). The discretionary request calls for $6.5 billion to launch the Advanced Research Projects Agency for Health (ARPA-H) within the National Institutes of Health (NIH). With an initial focus on cancer and other diseases such as diabetes and Alzheimer’s, this major investment in federal research and development will drive transformational innovation in health research and speed application and implementation of health breakthroughs

Here is what a cybersecurity plan should include.

Here is why all students, trainees and healthcare professionals, not just CMIOs and the CIOs, need cybersecurity training.

In considering useful parameters for this assessment, the WDTG (?Workforce Development Task Group) observed that there are two “buckets” for cybersecurity education and training in the healthcare sector. The first is the cybersecurity training necessary for a healthcare professional to do their job. This falls into the category of “cybersecurity awareness” of business-side employees to take necessary administrative (non-technical) steps to protect personal identity information (PII) or protected health information (PHI), or avoid missteps such as falling for social engineering threats or practicing unsafe online activities on enterprise networks or applications. This training is not technical and there is no presumption that the recipients’ jobs are technical in nature. This falls under the “Cybersecurity is Everyone’s Job” guidebook, which is a work product of the NICE working group subgroup. The other bucket involves technical personnel whose roles involve the management of data, information technology, network and application security, and some of the newer blended information and device management roles in the healthcare field.?

Here are some suggestions on how to measure and address the gaps in knowledge, skills, abilities and competencies of your healthcare professional workforce.

Vermont Governor Phil Scott this week ordered the state Army National Guard's Combined Cyber Response Team to help in responding to a cyberattack against the University of Vermont Health Network.

Calling in the cavalry won't solve the problem. The hidden enemies are too clever. Every medical school and residency training program should require digital health education and training, including cybersecurity, as part of a mandatory healthcare professional digital health course.

That's only the first step since a software virus vaccine is a long way off. We need a cyberczar to run CARPA.

Arlen Meyers, MD, MBA is the President and CEO of the Society of Physician Entrepreneurs

This work is licensed under a?Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.