Then-FBI Director James Comey Prodded Healthcare Industry to Take Cybersecurity Seriously

Just because the messenger was fired, doesn’t mean the message was wrong or forgotten. Politics aside for the moment, now-former FBI director James Comey has been trying to prod the healthcare industry take cybersecurity even more seriously. And, help the FBI find the “bad guys.”

His message is the hackers, trolls and “nation states” are targeting the rich and vulnerable healthcare industry. It’s not really HIPAA violations but ransoms, valuable patient identities, and hijacking of medical devices.

Comey was the keynote speaker at the American Hospital Association annual meeting in Washington the day before Trump said “you’re fired.” Comey said much work has gone into breaking down silos between the FBI, CIA, Pentagon Homeland Security, and other government agencies. Now the FBI needs to build stronger relationships with private community entities. Unlike the current worldwide ransomware attack, the vast majority of cybercrimes are not reported, which hinders the ability to link and identify the hackers.

Most healthcare organizations know they are major targets for cybercriminals mining for patient data that can be sold at a high price for use in fraud and identity theft—even more so than credit card numbers from big box retailers. Comey said cybercriminals are using this sensitive data today, for example, to raid health savings accounts and use the money to buy and sell goods—a high-tech burglary.

Hospitals and physicians aren’t the only healthcare groups that need to be on guard. Proprietary information has long been a target for industrial and geopolitical espionage. Hackers could steal genomic databases and sell them to unethical businesses and governments around the world.

Medical devices are also increasingly becoming a target. High-tech “assassinations”—the stuff of movies and books—are possible with the interoperability of medical devices. If a hacker can invade an automobile computer, what about wireless technology and software in medical devices? It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers and insulin pumps.

In 2015, the FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. In the past year, Johnson & Johnson and St. Jude Medical have dealt with cybersecurity vulnerabilities linked to insulin pumps and cardiac devices.

Comey listed several actions the FBI was taking to be more responsive, including assigning work to agents based on their cyber expertise rather than their physical location, and helping local law enforcement get more up-to-speed in the digital world. The FBI is committed to tracking down hackers wherever they can be found. Even newly rich Russian hackers go on vacation, he said, and have been tracked and arrested in resorts and airports. Making sure criminals pay the consequences for their activity is an important message and lesson.

Comey said, “We have to convince you to talk to us. We will treat you as what you are—as victims. We will explain to you what will happen to any information you give us; we will be open and honest with you.”

And the information the FBI needs isn’t necessarily what hospitals might fear. “We need the fingerprints of digital intrusion so we can figure out who did this, to try to help all of us stop that intrusion from continuing. Once we make those judgments, you will see us abiding by our promises.”

The entire healthcare industry is under a sophisticated attack from cyber criminals. They may attack today, tonight or next year. But every day they are trying to steal our data. Comey may be “fired,” but his message was serious. Healthcare is under attack for its extremely valuable data and the industry must work with the government to combat the hackers and help reveal their digital fingerprints.

Andy Stern is chairman of the Dallas public relations firm Sunwest Communications. He chairs the American Hospital Association’s Committee on Governance. He currently sits on the boards of Medical City Dallas hospital, Dallas Medical Resource, and AMN Healthcare Services, the nation’s largest healthcare workforce solutions firm.

Posted in Expert Opinions.