Cybersecurity in Medicine: A Review (Preprint)

UNSTRUCTURED The practice of medicine has become increasingly dependent on connected medical technology and nearly every clinical environment requires physicians to be proficient in using computerized workflows for patient care. Cyberattacks affecting healthcare delivery organizations (HDOs) have evolved in frequency, sophistication, and scale. These attacks often involve the theft of protected health information (PHI) and disrupt the function and availability of critical resources such as diagnostic technologies, therapeutic devices, and electronic health records (EHRs). This review aims to describe cybersecurity threats as they impact the delivery of patient care by affecting the operational, financial, and clinical systems of HDOs and associated entities. It will highlight the challenges that remain in developing a database of evidence focused on classifying and comparing cybersecurity attacks by clinical relevance and effect on patient outcomes. Attackers have focused on health care as a key sector of critical infrastructure because the opportunity for financial gain has been reliably demonstrated. That cyberattacks have continued, and in many cases been precisely targeted to affect hospitals during the COVID-19 pandemic, demonstrates the persistent and malicious nature of cybersecurity challenges. The existing literature has discussed the theoretical clinical implications of vulnerabilities discovered in connected medical devices including insulin pumps and pacemakers, and media reports have prominently featured coverage of HDOs affected by cyberattacks. Yet there remains a paucity of data describing such events that can be used to quantitatively characterize effects on patient outcomes. The complex interplay of varying regulatory oversights, embryonic surveillance mechanisms, and organization-specific policies have made obtaining the data needed for formal epidemiological studies difficult. Despite these challenges, multiple United States government agencies, healthcare delivery organization industry groups, and healthcare advocacy groups have recognized cybersecurity threats as a key safety and operational concern worthy of expanded study and dedicated resources.