COVID-19 is not the first viral pandemic to devastate health systems in the twenty-first century. In May 2017, the WannaCry ransomware infected more than 230,000 computers in at least 150 countries and prevented access to critical digital systems in the UK's National Health Service (NHS).1 Although WannaCry was a relatively unsophisticated attack that did not specifically target the NHS, the incident reveals the degree to which healthcare digitalisation renders these systems vulnerable to incapacitating cyberthreats and thereby presents substantial dangers to public health on a global scale.
It is widely acknowledged that health and well-being can be reliably enhanced by the implementation and scaling of digital technologies and that the uptake of digital health into nationwide health systems can accelerate progress towards the Sustainable Development Goals.2 As such, ensuring the adequate cybersecurity of these technologies is paramount to the protection of digitalising health systems that incorporate growing numbers of network-connected medical devices and vast stores of sensitive data, which are otherwise susceptible to attack, exploitation and unintentional loss.3
Patient data may be stolen, deleted or corrupted in cyberattacks,4 such as the 2018 attack on the SingHealth database and the 2014 attack on US health insurance company Anthem, in which cybercriminals illegally accessed the personal information of 1.5 million Singaporeans and 80 million Americans, respectively.5 , 6 Simultaneously, the growing network of interconnected medical devices, including hospital-based equipment and implantable sensors, can be hacked, manipulated or entirely disconnected, with potentially devastating consequences for patient privacy and safety.7 Beyond health systems, the increasing sophistication and technical ability of individual, group-based and state-sponsored cyberadversaries is regularly demonstrated through attacks on financial industries, social media networks and even nuclear power plants. The deployment of such formidable digital weaponry on inadequately protected health systems would have catastrophic implications for millions of patients. Despite this, cybersecurity in these systems remains chronically underfunded, rendering them vulnerably exposed to unacceptable degrees of reputational, financial and patient safety risk.4
Concurrently, the COVID-19 pandemic has revealed the indispensable nature of digital technology in modern-day health systems, public health organisations and research institutions globally. The collection, synthesis, processing, storage and distribution of sensitive patient data has proven to be fundamental to dynamic epidemiological and health protection responses, including symptomatology data, biological test results and geolocated contact tracing. The primary care records of millions of people have been used to identify those patients most clinically vulnerable to viral infection, to undertake population-wide observational research8 and to coordinate the age-prioritised roll-out of mass vaccination programmes. Finally, the clinical management of infected individuals has used virtual care platforms, digital monitoring systems and machine learning algorithms to inform clinical decision-making, guide resource allocation and provide clinical care for large volumes of patients.9
Although offering plentiful advantages to the functioning of public health organisations and healthcare services, the complete dependence on digital technologies of the global response to COVID-19 exposes this reliance as a critical vulnerability in modern-day health systems and underscores the urgent need to safeguard these systems with adequate cybersecurity. Despite this, the long-term underinvestment of digital health system resilience is likely to intensify in the coming months as countries divert scarce resources to combating the social, economic and immediate health impacts of the ongoing pandemic. In an environment of rapid health system digitalisation and increasing cybercriminal capability, such deepening neglect of infrastructure protection would render these critical systems intolerably exposed.
The global decision to overlook biological pandemic preparedness has brought chaos and misery on an unprecedented scale during the COVID-19 pandemic. Although the substrate is different, the same failure to prepare for a digital viral pandemic could bring about even greater disruption to vulnerable health systems that increasingly depend on digital technologies. To mitigate this threat to global public health, significant commitments are urgently required to bolster health system cybersecurity and worldwide digital health resilience.
References
- 1.Department of Health & Social Care . February 2018. Lessons learned review of the WannaCry ransomware cyber attack.https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf [Google Scholar]
- 2.World Health Organization. Global strategy on digital health 2020–2025. https://cdn.who.int/media/docs/default-source/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d_02adc66d-800b-4eb5-82d4-f0bc778a5a2c.pdf?sfvrsn=f112ede5_68 [accessed 04 May 2021].
- 3.The Lancet Cybersecurity and patient protection. Lancet. 31 March 2018;391(10127):1238. doi: 10.1016/S0140-6736(18)30711-6. [DOI] [PubMed] [Google Scholar]
- 4.Ghafur S., Grass E., Jennings N.R., Darzi A. The challenges of cybersecurity in health care: the UK National Health Service as a case study. Lancet Digital Health. 01 May 2019;1(1):10–12. doi: 10.1016/S2589-7500(19)30005-6. [DOI] [PubMed] [Google Scholar]
- 5.Singhealth . 20 July 2018. Joint press release by MCI and MOH−singhealth's IT system target of cyberattack.https://www.singhealth.com.sg/news/announcements/joint-press-release-by-mci-and-moh-singhealths-it-system-target-of-cyberattack [Google Scholar]
- 6.BSI Group . 2015. Lessons learned: Anthem data breach.https://www.bsigroup.com/LocalFiles/en-US/Whitepapers/Information%20Security/BSI-lessons-learned-anthem-data-breach-whitepaper.pdf [Google Scholar]
- 7.BSI Group . 2017. Cybersecurity of medical devices: addressing patient safety and the security of patient health information.https://www.bsigroup.com/LocalFiles/EN-AU/ISO%2013485%20Medical%20Devices/Whitepapers/White_Paper___Cybersecurity_of_medical_devices.pdf [Google Scholar]
- 8.Mathur R., Rentschh C.T., Morton C.E., et al. Ethnic differences in SARS-CoV-2 infection and COVID-19-related hospitalisation, intensive care unit admission, and death in 17 million adults in England: an observational cohort study using the OpenSAFELY platform. Lancet. 30 April 2021 doi: 10.1016/S0140-6736(21)00634-6. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 9.Whitelaw S., Mamas M.A., Topol E., et al. Applications of digital technology in COVID-19 pandemic planning and response. Lancet Digital Health. 29 June 2020;2(8):435–440. doi: 10.1016/S2589-7500(20)30142-4. [DOI] [PMC free article] [PubMed] [Google Scholar]