October is National Cybersecurity Awareness Month, which provides us in the public health emergency management community a time to think about how we prepare for and respond to cybersecurity incidents within the context of all hazards. One thing has become increasingly clear over the past several years: cybersecurity is not just an IT problem. It also is a patient safety issue and it is increasingly an emergency management issue. This year healthcare organizations throughout the nation have been hit by an unprecedented round of ransomware attacks, which have temporarily incapacitated critical functions within hospital systems and led to disruptions in normal operations. These attacks have led facilities to implement emergency management plans, stop taking new patients, and cancel elective procedures. Responding to cybersecurity attacks has required close coordination among emergency managers, IT managers, healthcare staff, and law enforcement agencies to bring systems back on-line while mitigating the impacts of the attacks on patient care.
Two public events next week will showcase the work that ASPR and our HHS and other Federal Government, state, local, and private sector partners are undertaking to promote patient safety by promoting effective cybersecurity through two different bodies: the Healthcare and Public Health Sector Coordinating Council and the Health Care Industry Cybersecurity Task Force.
On October 24 and 25, the ASPR Critical Infrastructure Protection Program will host the annual partnership meeting of the Healthcare and Public Health Sector Government Coordinating Council and Sector Coordinating Council. This year’s meeting will focus on resilience, risk and reward within the critical infrastructure of the U.S. healthcare and public health sector, including a session-specific track focused on cybersecurity. The cybersecurity track will feature discussions on issues related to the management of cybersecurity threats, recent policy developments, information sharing coordination, and other topics that can help you prepare for, respond to and recover from a cybersecurity attack. The Healthcare and Public Health Sector Government Coordinating Council and Sector Coordinating Council represents private sector interests and perspectives in the public-private effort to protect the national healthcare infrastructure. Made up of representatives, organizations, trade associations, and professional societies who operate within the healthcare sector, the Council works to meet the specific needs of owners and operators and to inform and influence government policy and action with regard to infrastructure protection.
On October 26, 2016, Health Care Industry Cybersecurity Task Force will hold its third in-person meeting, which will focus on cybersecurity information sharing activities within the Federal Government and private sector. The meeting will include panel discussions on the Federal approach for healthcare industry cybersecurity and on commercial sector information sharing. HHS established the Health Care Industry Cybersecurity Task Force under the Cybersecurity Information Sharing Act of 2015 to bring together subject matter experts to provide recommendations for increasing healthcare industry cybersecurity in light of recent threats.
Registration is open for both events. See below for registration details:
We hope that you can join us to exchange ideas on improving cybersecurity and information sharing. By working together across industry, government and academia, we can find better solutions to cybersecurity challenges, improve information sharing, and decrease financial and health risks.
Imagine you are on vacation. Your son slips, falls and is unable to walk on his injured leg. Should you go to the emergency department? Or would a retail clinic or urgent care center be better? And would that place have the X-ray machine or other capabilities necessary to care for your son?
Many factors influence when and why people choose to seek care. This is especially true for acute care – like your son’s injured leg – that is often time-sensitive and unscheduled. Some of these factors are personal, like the severity of an individual’s specific health condition; where they prefer to get care; how easy it is for them to get to the places where and when care is available; and what support they have from family and friends. Other factors are related to the communities where people live, like what options are available for care; the quality of that care; and how easy it is to get the other things people need to stay healthy, like housing, food, and support from their community.
Options for acute care in the U.S. are complex, even bewildering. For instance, acute care delivery occurs in many settings, including emergency departments, urgent care centers, retail clinics, doctors’ offices, and by telemedicine. The services and capabilities of these facilities may vary dramatically. People often need help navigating this complex system to choose the best place to go for the care they need and sometimes they need to do it quickly or in an unfamiliar location. Helping people navigate the increasingly complex system is critical.
So, how can we help your injured son get the care he needs after he has fallen on vacation?
The U.S. Department of Health and Human Services (HHS) has recognized that we need a more integrated and patient-centered way to deliver care during our most vulnerable of moments. HHS’s delivery system reform initiatives seek to ensure that the health care system delivers better care, spends health care dollars more wisely and results in healthier people. The Affordable Care Act created a number of new payment models that move the needle even further toward rewarding quality. Providers have a financial incentive to coordinate care for their patients and reduce duplicative or unnecessary x-rays, screenings and tests. This patient-centric approach can and should be extended to the acute care setting.
Accordingly, the ECCC contracted with the George Washington University to develop a Conceptual Model for Management of Acute Unscheduled Care in the U.S. The model helps to disentangle the complex acute care system by describing the options and factors that influence people’s decisions about where, when, and how to receive medical care during their time of need. The model begins with the social and individual determinants of health that influence the likelihood of acute illness and injury, then describes care-seeking decisions, care delivery settings, transitions in care, and how quality care leads to differences in health outcomes and costs.
This conceptual model is the first step in helping people navigate the increasingly complex acute care system. The model addresses the multitude of issues facing the day-to-day healthcare system, and has implications for disaster and public health emergencies that create increased demand.
The full report highlights that the management of acute illnesses, injuries, and exacerbations of chronic conditions is multifaceted and involves many stakeholders (e.g., patients, providers, payers, and policymakers) from across the healthcare system.
HHS will soon announce the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) final rule. Hundreds of thousands of Medicare providers across the country will be asked to choose their own path of participation in the Quality Payment Program – focused on moving the payment system to reward patient-centered care. As we shift to a system of care that rewards health care providers for providing quality care, it is critical to consider the acute care experience through similar lens and reward care coordination that result in better health.
While the Ebola virus disease is not in the news as much now as it once was, we cannot afford to let down our guard. Ebola cases flared up again as recently as this March in West Africa, causing eight deaths in Guinea and one death in Liberia, and more than 30 other outbreaks of the disease have been recorded in the last 40 years.
The Ebola outbreak of 2014-2016 highlighted the urgent need for therapeutics that could increase the survival rate of infected patients and also aid response organizations in their efforts to limit the spread of this deadly virus. ZMapp, developed by Mapp Biopharmaceutical in San Diego with support from several components of the U.S. government, is a combination of three monoclonal antibodies that target the Ebola virus.
Based on a careful review of preclinical studies of various potential therapies, ZMapp was selected for field use and an evaluation of efficacy in the PREVAIL II study in Guinea, Liberia, Sierra Leone and the United States. However, with the decline in the outbreak’s severity came a slowing of the enrollment in the PREVAIL II clinical study, and that study was closed in January before sufficient patients could be enrolled to draw conclusive results about the efficacy of ZMapp, based on predetermined statistical thresholds. The data from this trial have now been published in the October 13 issue of The New England Journal of Medicine (2016;375:1448-56).
Although the trial did not conclusively prove that ZMapp works, the limited data gleaned from PREVAIL II are encouraging, suggesting there was a greater than 90 percent probability that the finding of increased survival amongst patients treated with ZMapp did not occur by chance alone. This trend toward efficacy means it is no longer ethical to continue a trial comparing ZMapp to standard of care; rather, efforts should shift to comparing ZMapp to other promising therapies. Meanwhile, given all of the work already done to study ZMapp, we anticipate that work will continue to seek FDA approval under the Animal Rule.
To better protect the health of their residents, the U.S. government and the governments of Guinea, Liberia and Sierra Leone want to ensure that ZMapp remains available in the event of new Ebola cases, future outbreaks and flare-ups.
On Aug. 5, these international partners announced that they are pursuing an effort to ensure ZMapp will continue to be a treatment option under an Expanded Access protocol for Ebola for the next three years.
ASPR’s Biomedical Advanced Research and Development Authority, or BARDA, is providing approximately $13.4 million over the next three years to implement and maintain the ZMapp Expanded Access Protocol. This will allow the continued use of ZMapp in the nations that participated in the PREVAIL II clinical study during the Ebola outbreak. The FDA approved the continued use of ZMapp under the Expanded Access Protocol earlier this year and continues to work with Mapp Biopharmaceutical to lay out a path that could lead to future approval.
The U.S. partners, including the National Institutes of Health, Centers for Disease Control and Prevention, BARDA, FDA, and Mapp Biopharmaceutical, will work with international partners, including the Ministries of Health in Guinea, Liberia and Sierra Leone, to ensure access.
Clinical sites are being set up in each of the three participating West African countries and will be staffed with experts with extensive expertise in those countries and professionals trained in administering ZMapp. The partnership also will operate one mobile Ebola treatment unit in each of these countries and provide air capability to reach remote areas.
Meanwhile, U.S. federal agencies will continue efforts to develop effective vaccines and therapies against Ebola. The response to Ebola underscored the importance of global health preparedness and, while the immediate threat Ebola poses has diminished since 2014, we must vigorously prepare against future emerging infectious disease outbreaks. Helping ensure the future availability of effective countermeasures to Ebola will help us better protect public health against this threat globally.
Fifteen years ago this month, anthrax was used as a terrorist weapon against our nation. As a microbiologist with experience in dealing with Bacillus anthracis, the bacteria that causes anthrax illness, I was called in to be on the front lines of the investigation into the attack. Today, I help ensure our nation is best prepared for and can respond to a future one.
Soon after September 11, 2001, an attacker mailed letters laced with anthrax spores causing the deaths of five people and sickening 22 others. As part of the response, I donned a hazmat suit to investigate the possible extent of spread near one of these sites. When the FBI launched an investigation to determine who perpetrated this attack, the agency looked to the company I worked for at the time; with my background, I was to be part of the investigation to identify its source.
There were many challenges in the beginning. Decisively linking the anthrax spores collected from the attack site to the laboratory of a potential suspect would be necessary to prosecute and successfully charge the perpetrator. Therefore, every step including collection, analysis, and validation of samples; quality assurance and control; reporting out; and communication of complex molecular techniques needed to be resolved so that prosecutors and potential jurors would trust and understand for any potential litigation for attribution.
The first challenge was that different strains of Bacillus anthracis are very similar to each other at the genome sequence level, which presents challenges to differentiating strains. However, an astute scientist at United States Army Medical Research Institute of Infectious Diseases noticed unique differences in the appearance and growth characteristics of the anthrax spores used in these attacks. Therefore, we needed to be able to determine at the molecular level how these anthrax spores used in the attacks were different beyond a reasonable doubt.
The next challenge was that there were no established methods for differentiating anthrax spores at the molecular level. In order to determine definitively that the source of the anthrax used in the attacks, we had to create that method. We created one the first molecular forensics assays that identified unique fingerprints of the DNA of the anthrax spores used in the attacks, and then had to validate our assay and the technicians who would be testing any samples that were suspect.
We next had to determine optimal growth conditions to standardize the repository samples so they could be accurately compared using molecular testing. We also developed a method of isolating the DNA to be tested in our unique molecular assay.
Since Bacillus anthracis is a select agent, every researcher working with anthrax in their facility is required to register with the CDC and FBI, so researchers from all across the country were provided our standard growth conditions, and they prepared samples to be sent to my laboratory for comparison as part of the FBI’s investigation into the attacks. These became known as the repository samples.
Over the span of the next nine months, we examined over 1,000 repository samples using our standard methods for growth, DNA extraction, and molecular testing and found approximately 10 samples matched those used in the anthrax attacks in 2001. Those samples came from two laboratories, and one of those labs provided anthrax to the other. So, we were able to confirm the identity of the laboratory as the original source of the Bacillus anthracis used in the attacks.
Today, we have more tools at our disposal to respond to an attack. As the Director of the Medical Countermeasures Strategy and Requirements Division at ASPR, I have been able to play an important role in anthrax preparedness. My office has developed and updated anthrax requirements that determine how many medical countermeasures, such as treatments and vaccines, we need, how many can be used and what products would look like to preserve lives following a potential future anthrax attack. We work diligently within ASPR to prepare and respond against future attacks, to focus on preparedness; building federal emergency medical operational capabilities; countermeasures research, advance development, and procurement; and grants to strengthen the capabilities of hospitals and health care systems in public health emergencies and medical disasters.
Just as I was able to be a part of an innovative approach to identifying the source of the anthrax used in the attacks 15 years ago, I have seen the dedication and ingenuity within ASPR and am proud to be part of this vital mission.
Forty years ago, a patient exhibiting symptoms believed to be from malaria sought treatment in a small village in the Republic of the Congo in Africa. Later, it was determined this patient didn’t suffer from malaria, but from a virus that would cause a major disease outbreak decades later and more than 1,000 miles away: Ebola.
When the Ebola epidemic struck in 2014, it claimed the lives of thousands. However, it also served as a reminder that nearly all emerging infectious diseases may not be altogether new to the medical community, but certain factors may have changed since they first emerged that allowed them to reach epidemic levels.
There are five major factors that allow viruses to cause epidemics:
Human population dynamics and behavior
As more people populate the planet, there is a greater possibility someone will encounter a virus that will spread to others. And, as we are traveling greater distances today than before, this allows viruses to spread more rapidly over greater distances more quickly. As was the case with the 2014-2015 outbreak, cultural norms also can cause an infectious diseases to propagate. For example, as families in West Africa cared for sick relatives they unknowingly exposed themselves to the Ebola virus through contact with contaminated body fluids. This practice initially resulted in further spread of the virus in families and in communities.
Changes in insect or reservoir populations
As a virus finds its way into new carriers, it can reach new ecosystems and populations. This was especially critical to the spread of the West Nile virus. This virus is believed to have been introduced into the Western Hemisphere by people or mosquitoes that originated in Eurasia, where it was a well-known viral disease involving animals, mosquitoes and people. We believe that once the virus established itself in a local site near urban New York City, it found a brand new environment to flourish within species of birds and mosquitoes in the United States. This eventually amplified the virus and allowed it to spread across the entire U.S. reaching a large number of people. From 1999 through 2015, more than 43,000 people contracted West Nile Virus disease in the U.S. Birds in the U.S. maintain the virus, and outbreaks could recur in the future.
Weather and climate changes
Changes in weather and the climate can drive some animals carrying viruses to different areas, where they could spread disease to people. A perfect example of this is the 1993 outbreak of Hantavirus in the Four Corners region of the U.S. An El Nino weather event in 1992 brought higher than average rainfall to the area. With more rainfall came more plants, and with more plant life came an increase in the local rodent population. As the weather returned to normal and that new habitat vanished, the enlarged rodent population suddenly needed to find additional sources of food and shelter, finding their ways into homes and spreading Hantavirus to nearby residents. Due in part to raising public awareness of the need to rodent-proof homes in the region, the outbreak ended.
Advances in technology have allowed us to identify outbreaks when before illnesses were believed to have a different origin. Consider an apparent increase in Leptospirosis that was observed in Baltimore in the mid-1990s. It was normally considered an uncommon infection and its prevalence largely went unrecognized because diagnosing it was challenging. When newer technologies and better diagnostic tools became available, the likely “true” prevalence of the disease became better understood, and, suddenly, the number of reported Leptospirosis cases appeared to jump.
Changes to the viruses themselves
Sometimes, a change in a virus itself allows it to become an epidemic. The flu virus is a great example of how mutations can allow viruses to spread widely among populations. The influenza virus changes on a regular basis as small mutational changes happen (called genetic drift). This is the basis for why we need to develop a new flu vaccine for general use each season. It is also the challenge that vaccine developers face in creating effective countermeasures to seasonal strains of flu. And, on occasion, the type of change seen in circulating strains of the virus come about from bigger shifts in the virus (called genetic shift) leading to some strains of flu that have the potential to cause pandemics.
Meeting the challenges of new epidemics
ASPR helps advance the development and procurement of critical countermeasures to protect people during public health emergencies whether they are caused by natural or manmade pathogens.
After the Ebola outbreak erupted in 2014, ASPR aggressively pursued the diagnostics, vaccines and treatments to address Ebola. We made meaningful strides toward developing the countermeasures we may need to combat this deadly disease if it re-emerges in the future.
We didn’t stop the recent Ebola outbreak with a vaccine or other countermeasure, but in large part by changing human behaviors that were allowing the virus to spread. After understanding how it spread between people, educating the public about steps they could take to avoid contracting Ebola helped turn the tide of the epidemic, and the outbreak halted. We were able to accomplish a lot in a short period of time because of partnerships with other federal agencies and with industry, as well as developing a better infrastructure for research and development.
It is impossible to predict what the next emerging infectious disease will be, or which factors will make it re-emerge. When it does, ASPR and our global partners aggressively will pursue solutions to prevent its further spread.
From Hawaii to Louisiana, recent storms have impacted the ability of health care facilities and providers to care for their patients. In Hawaii, power outages and debris left in the wake of a hurricane forced some facilities to close. In Louisiana flooding closed dialysis centers, clinics, doctors’ offices and more. While not as extreme as what we saw eleven years ago when Hurricane Katrina made landfall in New Orleans, the most recent emergencies showcase the continued need and demand for the best possible preparedness and response capabilities, particularly for healthcare providers and residential facilities that care for millions of at-risk populations across our nation.
Disruptions, whether in a home or facility, can rapidly result in life-threatening situations that necessitate evacuation or assistance from another hospital, community-based facility and provider, or a shelter. The Office of the Assistant Secretary for Preparedness and Response (ASPR) was created to lead HHS and the federal government in responding to the health impacts of disasters, and we know that achieving the best health outcomes following disasters requires planning across the entire continuum of care before a disaster strikes.
Over the years, we have drawn on lessons learned from disasters and collaborated with the Centers for Medicare and Medicaid Services (CMS) to improve the health care system’s ability to respond to crises, including on the development of a rule modernizing the disaster preparedness of the healthcare sector nationwide, published today.
This marks the beginning of a new era in emergency preparedness for our nation’s health care system—not just for hospitals but for other providers of essential support services. CMS issued this new rule to create a consistent foundation of emergency preparedness across the health care system, ensuring that providers across the spectrum are better positioned to respond to disasters and to ensure continuity of care for some of our most at-risk populations.
These providers include home health services, dialysis centers, long-term care facilities, community mental health centers, rural health clinics, intermediate care facilities for people with intellectual disabilities, critical-access hospitals, and others which together care for many millions of people across our nation.
They will be required to adopt fundamental emergency preparedness capabilities to best ensure the safety of their patients’ health as a condition of participation in Medicare and Medicaid. For example, providers and suppliers must have emergency plans and training for personnel – and run emergency drills twice a year to test these plans and programs, so that all are better positioned to work together to protect health in the face of a disaster. They must have a communication plan in place to coordinate with their patients as appropriate, as well as with public health officials, emergency management officials, and other health care providers within the city, county and state. For the health care industry, being disaster-ready actually may provide a competitive edge. While the health care providers go into their respective fields for altruistic reasons, the U.S. health care industry is a highly competitive business. Being able to maintain services and provide excellent patient care amidst a disaster is an essential business function.
ASPR provides a wealth of resources and expertise to help these healthcare providers develop the plans, policies, procedures, training, and testing they need to get started or to improve plans already in place.
For example, our Technical Resources Assistance Center Information Exchange (TRACIE) has a wide range of resources that providers and suppliers can use to implement the new CMS rule. ASPR TRACIE has sample plans, tools, templates, and training and exercise materials and provides access to expert technical assistance and an information-sharing exchange platform to assist the exchange of best practices, vetted tools, and information between public health, healthcare professionals, and many other emergency preparedness partners.
Many also may garner access to local community expertise through collaboration with one of the nearly 500 healthcare coalitions that have been sponsored by ASPR’s Hospital Program. Some healthcare coalitions may be able to assist with risk assessments and may have community-based exercises and training opportunities. Additional online training and resources are available at the HHS’ Centers for Disease Control and Prevention and Health Resources and Services Administration as well as from the Federal Emergency Management Agency Emergency Management Institute.
While the physical destruction of a disaster may not always be preventable, the effect on patient care, as well as on the business of healthcare itself can be prevented if we are truly prepared. Today, CMS is putting in place meaningful improvements to the disaster preparedness of our nation’s healthcare system. This action will improve the resiliency of all of our communities and better protect the health of those in the path of disasters, whether small or large.
The beginning of the school year is upon us and kids are excited to board school buses and get back to class. But, do you know which steps the teachers or child care providers would take to protect your child if disaster struck before he or she got back home from school or child care?
As a parent, I know that it doesn’t need to be an incident that affects hundreds of children that gets you the most concerned – it’s the incidents that affect your own child. In May 2016, there was a shooting spree that put much of Montgomery County, Maryland, on lockdown, including my child’s day care center. I know firsthand as a parent how scary it can be not to know whether your child is safe, but I also know as an emergency planner how important it is to ensure there’s a plan to protect my child’s safety, and allow it to work to best ensure everyone’s safety.
What’s the Plan?
So, as the school year begins its important to have the information you need to be reassured that your children will be safe. Do you know what the disaster plan is for the school or child care facility your child attends? If not, then ask them that question. And, if they have one, get a copy of it. Here are eight other questions you will want to ask them to make sure they’re prepared and you know what to do:
- How will you safely evacuate my child to a safe, predetermined location? You also will want to know how the children will be moved and to where. If your child has special needs, make sure those are being taken into consideration.
- How and when will I be notified if a disaster occurs while my child is in your care? Make sure you have at least two ways to be contacted (phone numbers, emails, for example), and keep your contact information current. Also ask if there is a central phone number that you could call during an emergency for information, a school website to go to, or a television or radio station that will have the up to date information.
- If I cannot get my child during a disaster, how will you continue to care for my child? If you disagree with their plans or procedures, be sure to discuss it with them. Also be sure that you have provided to the school and child care center additional emergency contacts that you have given permission to pick up your child should you not be able to in an emergency. Your child should know who those people are.
- Have you or your staff received training on how to respond to my child’s physical and emotional needs during and after a disaster? It is critical that care providers receive training in how to respond to disasters. This training includes not just practicing drills, but understanding how to support children’s behavioral and emotional needs in developmentally appropriate ways during an emergency. Ask providers how vital records on children are kept, especially for those with special needs, and made available to emergency responders during a disaster to make sure they can receive the care they need.
- Do you practice all your emergency plans including fire drills, evacuations, shelter in place, and lockdown drills with the whole school or child care center? Even young children are able to participate in emergency drills if they are explained in an age and developmentally appropriate manner and provided support during and after the drills.
- Do you have a disaster kit with enough items to meet my child’s needs for three days? Each household should keep on hand enough supplies to be self-sufficient for three days in case of a disaster, and you want a facility where your child might be during a disaster to be equally prepared. If they don’t have a kit or enough supplies, consider working with other parents to pool together the necessary supplies. If your child needs medicine regularly, provide an extra supply to their school or child care center just in case.
- Do the state and local emergency management agencies and responders know about your child care program and where it’s located? Local emergency management agencies usually know where schools are located, but what about the child care center where you send your child? It’s worth taking a minute to call them to confirm that yourself.
- How may I help you prepare for a disaster and help during and after a disaster? Volunteer to help your provider prepare by organizing supplies, collecting or getting supplies donated, or organize a phone tree of parents to make calls during a disaster. Most importantly, parents can help by following the emergency plan of the school or child care center and waiting until they are told it is safe to pick up their children from the school or child care center or evacuation site. Showing up before parents have been told it is safe will only put parents at risk of getting hurt as well as needlessly showing up and being told that they can’t get their child yet or can’t access the facility.
When my son was at child care during those 2016 shooting incidents, I experienced the same anxiety any other parent feels when an emergency occurs and they’re separated from their children. You feel helpless because you have to wait and can’t get your child right away and you want to do everything you can to ensure they are safe, but you need to be patient. I had reassurance that day because I knew my son’s child care center had a plan, the center had activated the plan and they had communicated that all the children, including my son, were all safe.
As it turns out, the best way to ensure children are safe during a disaster while at school or day care is to make sure there’s a well-thought out plan in place before disaster strikes. Now is the time to do that. If your child’s school or day care center does not already have a plan, excellent resources are provided by HHS’ Administration for Children and Families, the Centers for Disease Control and Prevention, the Federal Emergency Management Agency, and the U.S. Department of Education.
After you ask these critical questions about how your child would be protected if a disaster occurred while they were away at school or child care, pose similar questions at home, and develop a disaster plan for your family.
Implementing effective strategies and safeguards to address cybersecurity threats is a challenge for any industry, but the size and scope of attacks on health care information systems have grown rapidly in the past two years. Health care data can be used for to commit fraud or identity theft. It can also be used to disrupt of hospital systems. Connected medical devices with cybersecurity vulnerabilities left unaddressed could pose a risk to patient safety. Security of health care data and medical devices is essential to protecting patients and providing them with the highest level of care.
The Health Care Industry Cybersecurity Task Force is looking for your input to help improve cybersecurity across the industry. The Task Force is working to help identify risks, gaps, challenges, and best practices related to cybersecurity issues in the health care sector.
If you have an interest and expertise in health information technology, please help us better understand how you evaluate and mitigate risks related to cybersecurity in the health care sector and what gaps you think still remain.
Please take a few minutes to answer any or all of the following questions in comment to this blog. We are working to stimulate discussion and share the best ideas, so your responses may be made public. Please do not include any propriety, personal/private, sensitive, or confidential information.
- What are the top cybersecurity risks and concerns unique to the health care sector?
- What best practices are currently being employed by other sectors that might help us improve the security of the health care sector?
- What are the biggest gaps and challenges for the development and deployment of medical devices and electronic health records?
- How can the health care sector be better educated with regard to cybersecurity?
- What challenges do health care sector organizations have to overcome in order to share cyber related incidents with a consortium?
Enhancing cybersecurity in the health care sector can help reduce risks for the industry and give patients peace of mind. The Task Force will use these inputs to augment its work and to support the broader goals of gathering information to disseminate to health care industry stakeholders; creating a single system for the Federal Government to share actionable cyber threat information; and developing the final report to Congress.
The Health Care Industry Cybersecurity Task Force was established by the U.S. Department of Health and Human Services in March 2016 per the Cybersecurity Information Sharing Act of 2015. The Secretary of Health & Human Services, in coordination with the Department of Homeland Security and the National Institutes of Standards and Technology, selected a broad array of expert representatives from the Federal Government, private sector health care organizations, other public and private sector experts on information technology and cybersecurity.
The Task Force holds monthly meetings to review its progress and identify concerns and practices both internal and external to the health care sector. The Task Force opens its meetings to the public on a quarterly basis. During the April and July meetings the Task Force received briefings from Federal leadership about the importance of cybersecurity for the health care sector, gained insight about the processes and best practices of other sectors, and reviewed the results of cybersecurity exercises and medical device workshops.
As Acting Assistant Secretary Mary K. Wakefield has indicated when she announced the formation of the Task Force, we need to protect the data that is at the foundation of our health care system. With your input, we hope to do that more effectively and find more efficient ways for the industry as a whole to protect health care information.
By now you’ve heard of the new augmented reality game, Pokémon GO, which brings a beloved set of cartoon characters from the 1990s into your environment through an app on your cell phone. Pokémon can appear anywhere on a map, so the game encourages you to walk around your neighbourhood to locations where the Pokémon can be found—generally known as Pokéstops or Gyms. You too can hunt, train, and capture Pokémon in your own backyard, your neighbourhood park, or… your local hospital…
That last location causes some challenges for maintaining safety and security at health care facilities.
When virtual Pokémon appear on their phone’s map, dozens of gamers can flock to that location. Sometimes, that location can be near or even inside a health care facility, which can create anything from a nuisance for security guards to a patient safety issue.
For example, the Utah Valley Hospital in Provo, Utah, found that it had four Pokéstops inside the hospital atrium, near a fountain, another display area, and even the hospitals helipad! A dozen gamers standing around looking like they’re taking pictures in an atrium can made guards nervous. A dozen gamers on a helipad trying to capture a difficult Pokémon can get in the way of patient care.
Guards have no way of telling the difference between a gamer and someone with nefarious intent casing the hospital’s vulnerabilities.
By now, you might be wondering a couple of things:
- Are there Pokéstops or Gyms in my hospital or healthcare facility? If you don’t already know if your facility has Pokéstops, you can find out by looking for your facility through the Pokémon GO mobile interface or by searching for your address on the Ingress website. If you find a green or blue dot at your address, you may be part of the game.
- If I find a Pokéstop or Gym in my facility, can I get rid of it? You can request that the Gym or PokéStop at your facility be removed from the game. You may have the best luck by identifying your location through latitude and longitude which can be found by using one of many apps on your phone or by using Google Maps.
- Will this keep all the Pokémon out of my hospital? Probably not. Getting rid of Pokéstops and Gyms will decrease the number of Pokémon running through your hospital – but it won’t catch them all. Pokémon run around. Some of them may run into your hospital. Even if there isn’t a Pokéstop or Gym in your facility, there is probably one in your area.
There are also examples of hospitals using the game as therapy for some of their young patients. If Pokémon is providing a benefit to your patients – say, by giving kids in your cancer ward something that makes them happy and gets them out of bed – you may want to keep your facility’s Pokéstops and Gyms.
If you do that, make sure that your security staff knows that they may attract people who aren’t supposed to be in your facility. If you do decide to keep the Pokéstops, you need a plan. Be sure that your facility has a policy for dealing with problems and ensuring patient safety. Security guards can’t just give people a pass in the spirit of the game.
Whether or not you get rid of our hospital’s Pokéstops, it is critical for healthcare facilities to maintain awareness of individuals trying to access or photograph your facilities. People wandering around a hospital or healthcare facility who aren’t supposed to be there and they create additional risk for your facility. Your security staff needs to recognize that they are a problem and deal with them appropriately.
There are a wide range of reasons that people should not be roaming the halls, potentially interfering with patient care or breeching sterile locations to find a cartoon character. As your hospital plans for cyber-threats, remember that not all of them look scary on the outside.
As recent news reports show, security breaches and ransomware attacks in the Healthcare and Public Health sector are on the rise. Criminal cyber attacks against health care organizations are up 125 percent compared to five years ago, replacing employee negligence and lost or stolen laptops as the top cause of health care data breaches. The average consolidated total cost of a data breach was $3.8 million, a 23 percent increase from 2013 to 2015.
To better prevent attacks on health information technology, organizations need better visibility into what to expect and how to respond. Timely information on the nature of attacks is critical to that ability. To enable better dissemination of threat information, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR) released two Funding Opportunity Announcements (FOAs) to build the capacity of an Information Sharing and Analysis Organization (ISAO). This organization is being asked to:
- Issue warnings about potential cyber threats;
- Provide outreach and education that improves cyber security awareness;
- Equip Healthcare and Public Health sector stakeholders to take rapid actions in response to cyber threat information shared by the ISAO, and
- Facilitate cyber threat information sharing widely within the HPH sector, regardless of the size of the organization.
In short, the ISAO will create a more robust cyber information sharing environment, especially for smaller entities that may not have the resources to access such information on their own, by leveraging existing relationships. Through the resulting streamlined cyber threat information sharing process, HHS will be able to send cyber threat information to a single entity, which will be able to share that information widely to support stakeholders.
This is just the latest step in our cybersecurity efforts. As part of Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0, ONC identified the need to “coordinate with ASPR on priority issues related to cybersecurity for critical public health infrastructure.” For the past three years, ONC has worked closely with ASPR and other HHS offices and agencies and offices to facilitate cyber threat information sharing across the Healthcare and Public Health sector. They include:
- The Office of the Assistant Secretary for Administration (ASA),
- The Office of the Chief Information Officer’s (OCIO) Office of Information Security (OIS), and
- The Office of Security and Strategic Information’s (OSSI) Cyber Threat Intelligence Program (CTIP).
This work builds on two Executive Orders related to cybersecurity. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, designates HHS as the agency responsible for sharing cyber threat information with private sector organizations in the Healthcare and Public Health sector. Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, encourages the development of ISAOs to serve as focal points for cybersecurity collaboration within the private sector and between the private sector and government.
Establishing robust threat information sharing infrastructure and capability within the Healthcare and Public Health Sector is the foundation for the privacy and security of health information, which in turn builds trust in the digital health system. By continuing to lead, coordinate, and fund cyber threat information sharing capability for the Healthcare and Public Health sector, together we can continue to strengthen the security of the health care system data and ensure it is available when and where it is needed to help improve individuals’ health.
Find more information about both the ONC and ASPR Funding Opportunity Announcements on www.Grants.gov.