Cyber-attacks are a permanent and substantial threat to health systems: Education must reflect that

Cybersecurity in healthcare is not a duty or an obligation but an act of responsibility. When patients and families entrust their lives to the health system and its professionals, their complete commitment to excellence in delivery is a basic expectation.

The increase in cyber-attacks on healthcare institutions has made headlines through the COVID-19 pandemic.^1,2 A ransomware attack on the Irish health system in May 2021 was a reminder of how much disruption cyber-attacks can cause healthcare services. ² However, this threat to healthcare organisations and patient safety is not new; cyber-attacks have intensified with the increased use of digital technology in healthcare.

We know that clinical healthcare professionals have previously considered cyber-attacks on healthcare organisations a predominantly information and communication technology (ICT) issue, but the nature and increased frequency of attacks is turning that dichotomy on its head. Table 1 outlines the two most common types of attacks, and recent examples from healthcare, according to findings from the 2021 HIMSS Healthcare Cybersecurity Survey. ³ Clinical staff are at the eye of the storm, but are often not provided the tools and education to address these challenges.

OPEN IN VIEWER

Table 1.

Common types of cyber-attacks and recent examples from healthcare.

Type of attack		Example from the health sector
Phishing attack	Phishing describes a particular type of scam where an attacker sends a fraudulent email or text message from a seemingly trusted individual or organisation. The aim of a phishing attack is to trick the recipient into clicking an attachment which allows the attacker to do something the recipient may not be aware of (e.g. the stealing of credentials/ passwords). 4	In March 2020, a phishing attack on the World Health Organization was identified. A group of cyber-attackers launched a malicious website mimicking the WHO's internal email system with the intention of stealing passwords from WHO staff. 5 The attack was unsuccessful but highlighted the level of sophistication of some phishing attacks targeting healthcare organisations.
Ransomware attack	Ransomware is a type of malicious software (malware) that makes systems unusable until the victim makes a payment. 4 Ransomware uses encryption to disable an organisation's access to its own critical data, including databases and file servers. Access of only granted following the payment of a ransom to the cyber-attackers.	In May 2021, a Conti ransomware attack on the Irish health system affected more than 80% of its IT infrastructure, stealing data, and locking healthcare staff out of systems essential for healthcare delivery, as well as non-clinical systems like finance and procurement. 6 The attack stemmed from a staff member opening a malware compromised spreadsheet sent to them via email. 7 It took the service 4 months to fully recover.

When hackers rendered the Dusseldorf University Hospital computer system inoperable in November 2020, this resulted in the shutdown of services forcing a patient to be transferred to a hospital 60 km away. ¹ Consider the experience of clinicians caring for the 78-year-old woman who subsequently died on route. They were not to blame for the attack and its outcome (the Health Minister of North Rhine-Westphalia was warned of weaknesses within healthcare IT systems in the weeks prior), but in general, loss of life undoubtedly weighs on clinical staff, including medical students. ⁸

Sensitising students to digital health technologies is rightfully now increasing in academia and healthcare. ⁹ Cybersecurity is an integral component of safe and effective health technology use, as well as patient safety in the modern era, and must be core to this conversation and subsequent planning. As part of this, all future healthcare professionals, as the regular users of digital health technologies, gatekeepers of patient information, and most importantly, frontline providers of care to patients, must be made aware of cyber risks and threats towards the development of a ‘human firewall’ as staff engage increasingly effectively in cybersecurity.^10,11 This is the first step to enable them to prepare both practically for threats they can mitigate, and psychologically for those they cannot. ¹² Yet current academic literature on teaching cybersecurity to students and medical professionals focuses on cybersecurity as an element of training on complex digital health technologies, such as artificial intelligence. ¹³ But have we missed a step, or more importantly, how many opportunities have we missed during their educational experience?

The value of strong cybersecurity in novel digital health technologies is clear. Yet these areas of health technology are in their infancy at the global level. Across health systems, the majority of cybersecurity breaches stem from phishing emails, negligence or inappropriate accessing of data, ¹⁴ rather than attacks on complex technologies. The huge scale of these simple attacks is known: staff at one UK NHS institution received 18,871 email phishing threats in a 1-month period, 2.2% of all emails received. ¹⁵ The system is often complicit in the ergonomics of clinical error, which becomes highly relevant when we consider that healthcare workers with a high workload are significantly more likely to open a phishing email (Figure 1). ¹⁶

OPEN IN VIEWER

Figure 1.

Summary of threat message activity during a 1-month period reported by Priestman et al. ¹⁵ Reproduced under licence: CC BY-NC.

Cybersecurity should not be an add-on to ICT training, yet it has been noted that there are no widespread educational techniques to train clinical staff to identify and manage cyberattacks in the clinical realm (e.g. attacks on medical devices), ¹⁷ nor their role in larger scale cyber-attacks on their organisation. Educating students across healthcare disciplines on the basics of cybersecurity, types of attacks, where and how cyber-attackers are most likely to target individuals, their role in maintaining security, and the connection between cybersecurity and patient safety, ¹⁸ are fundamentals that are being overlooked alongside greater efforts to build a culture of responsibility around cybersecurity. The challenges of organisational hierarchies, poor reporting cultures, and fear of speaking up must also be discussed openly in the context of a suspected cyber-attack.

A range of tools or concepts can be utilised or built upon to aid the teaching of cybersecurity. For example, Health Education England offers NHS staff access to short, online learning programmes, including a programme entitled ‘Data security awareness’, as part of the Technology Enhanced Learning: Digital education programme. ¹⁹ The need to make such education fun and easy to assimilate calls for simulation and gaming techniques to be employed more often in the teaching–learning process. As the simulation is already widely used in medical education, its use in cybersecurity training lends itself to incorporation within clinical training activities. ¹⁷ National educators and policymakers can explore other areas of patient safety education to develop tools. Multilateral organisations should aid efforts through the creation of educational tools at the global level.

The COVID-19 pandemic has ushered in a new era of digital health expansion but has brought the lucrativeness of cyber-attacks on healthcare organisations into view for malicious actors. Cyber-attacks are a permanent and substantial threat to health systems. It is not solely the responsibility of the ICT sector or ICT departments to respond. All medical education programmes must advance curriculums and priorities to train clinical staff to prepare for, and address, cybersecurity threats as they would any other element of patient safety. Well prepared students will support and advance safer health systems in the long term.