Cyberattacks against local governments are becoming a new normal, yet the nation is not doing enough to prepare local health departments (LHDs) from such attacks. More than just a technological issue addressed by information technology (IT) professionals, cyberattacks can threaten lives and result in losses of integrity, availability, confidentiality, and physical destruction of assets. Cyberattacks can erode the trust and confidence communities have in LHDs and can introduce legal and liability issues when breaches of protected patient health information occur. LHDs should consider cyberattacks, and the myriad of nontechnical issues that may result, as part of their all-hazards preparedness efforts.
Stories of cybercriminals attacking entire local and county government systems have become more common in the past year. Recent events include a cyberattack in Dallas, Texas, that managed to set off all 156 emergency alarms in the city, a ransomware attack in Mecklenburg County, North Carolina, that slowed the county government to a crawl, and another in Atlanta, Georgia, that disabled critical systems, forcing many city workers to revert to paper. While these incidents have not yet presented widespread or prolonged disruptions to LHD services, considering the effect of such a scenario has become increasingly important.
Hypothetical scenario: You are a director of a local health department (LHD). Your community government recently completed updating its computer systems for all departments, integrating mobile and medical devices, servers, and workstations, and enabling computer-controlled building automation technology to regulate heating and cooling, lighting systems, door locks, alarms, and refrigeration units in all county facilities. LHD personnel have networked desktop and laptop computers, voice over IP (VOIP) landlines, mobile phones and emails, and an electronic reporting system for vaccines administration. The United States is several months into a moderate to severe influenza season and your LHD is holding influenza vaccine clinics at several locations across the county.
The LHD is also one year into a chronic disease and environmental monitoring research project funded by a federal agency and a private technology firm. The research data for this project are stored on your county government’s computer system. There is news of a computer ransomware – a program that infects a computer, blocks access by encrypting key components, and demands a ransom be paid for the restriction to be removed – spreading across the internet through networks and removable drives, downloading files, and stealing information. You receive word that staff members who are setting up a flu vaccine clinic are having trouble connecting to the electronic medical record system on the county computer network. VOIP phones services are routinely unavailable throughout the day. You receive word from your research staff that data are no longer accessible. You learn that many of the county computers, including the systems for tax payments, birth and death certificates, county sewer and water, and facility heating and cooling, are locked with a ransomware message; demanding a $23,000 payment in Bitcoins to unlock the computers.
You consider activating the LHD’s emergency response plan, but are uncertain if a cyberattack requires such a response. Your county emergency manager and executive leadership call a department head meeting to discuss what to do and decide to not pay the ransom. Two weeks have passed since the attack began and county services have been severely interrupted. The county IT department is slowly restoring services, albeit with significant loss of data. It was learned that an infected USB drive, obtained from a public health preparedness conference as a giveaway, was the culprit.
The technical assets available to and services provided by this hypothetical LHD are typical and routine, like countless actual health departments throughout the nation. Unfortunately, many LHDs could also find themselves similarly affected by cyberattacks. Therefore, it is important to consider cyberattacks as part of all-hazards planning, which begins by considering the following questions:
- What is the role of an LHD in cybersecurity incidents?
- What are the most critical systems at risk of compromising public health in the event of a cyberattack?
- If a cybersecurity incident occurred, could LHD operations continue?
- Does the community have contingency plans in place for a cyberattack?
- Who at the state and federal levels of government should be contacted regarding a cyberattack?
- Would a cyberattack trigger the activation of the emergency response plan?
- Who is identified as the community lead in such an event?
- Does the community emergency operations plan include an air-gapped network and equipment (i.e., a physically isolated secure computer network)?
- Will a county or local community pay in the event of ransomware? If not, is it prepared for consequential data loss and privacy breaches?
- When should the public be notified and what information should be shared about cyber incidents?
In addition to presenting technological issues, cyberthreats to LHDs can be classified in terms of their capacity to introduce losses of integrity, availability, confidentiality, and physical destruction. Cyberattacks could erode the trust and confidence that communities have in LHDs and government services, and can introduce legal and liability issues when breaches of protected patient health information occur. As such, federal agencies, academic institutions, national public health representative organizations, and state and local government agencies should work collaboratively and strategically to improve preparedness for LHD cybersecurity incidents.
Cyberrisks to Local Health Departments
The local public health system is comprised of all public, private, and voluntary entities, and their human, infrastructure, and virtual assets, responsible for the health and wellbeing of communities. As part of this system, roughly 2,750 LHDs across the nation provide services that include: food safety, vaccinations, epidemiological surveillance, disaster preparedness planning, emergency response, laboratory testing and coordination, health information exchange, health communication and outreach, community resilience building, public-private sector planning and exercises, hazard and risk assessments, and protection of all sectors from natural and manmade hazards. The 10 Essential Public Health Services are the activities that a local public health department should undertake to ensure the health, safety, and security of the communities it serves. Table 1 describes how such services could be impacted by cyber incidents.
|Essential Public Health Service||Key Local Health Department (LHD) Activity||Example of Vulnerability|
|Monitor health status to identify and solve community health problems||Health surveillance||Computer systems that collect and transfer data are vital for both active and passive surveillance.|
|Diagnose and investigate health problems and health hazards in the community||Analysis of health information||Loss of access to information hinders the ability of LHDs to diagnose problems in the community.|
|Inform, educate, and empower people about health issues||Delivery of health information||Attacks on information dissemination systems limit the ability of LHDs to share information.|
|Mobilize community partnerships and action to identify and solve health problems||Electronic coordination and planning||Loss of electronic communication reduces the effectiveness of community partnerships when needed most.|
|Develop policies and plans that support individual and community health efforts||Policy development||Educating policymakers on the public health effects of cyberthreats to formulate better policies and planning reduce the effects of a cyberattack.|
|Enforce laws and regulations that protect health and ensure safety||Gathering of public health data||The loss of infrastructures reduce the ability to report notifiable diseases or health violations.|
|Link people to needed personal health services and ensure the provision of health care when otherwise unavailable||Emergency response activities that provide people with necessary health services, including access to appropriate medical care||Loss of infrastructure causes the denial of utility services needed to maintain the health of the public. Hospitals encounter reduced capacity to provide medical care with the loss of a hospital system.|
|Ensure competent public and personal health care workforce||Many activities, including outbreak management, emergency response, and disease tracking||The continuing loss of staff and funding make it difficult for LHDs to meet public needs. Increased strain on the system due to a cyberattack magnifies this problem.|
|Evaluate effectiveness, accessibility, and quality of personal and population-based health services||Assessment of public health interventions||Evaluation of health interventions requires data storage and communication to measure progress toward goals.|
|Research new insights and innovative solutions to health problems||Data collection for outbreak response research||Research during a cybercrisis is limited due to loss of infrastructure and records.|
Source: Adapted from “Cybersecurity Threats to Public Health,” by Daniel J. Barnett, Tara Kirk Sell, Robert K. Lord, Curtis J. Jenkins, James W. Terbush, and Thomas A. Burke. World Medical & Health Policy, 5:1. 2013.
From a national critical infrastructure protection perspective, LHDs are part of the Healthcare and Public Health (HPH) sector, one of sixteen national critical infrastructure sectors deemed so vital that the failure or degradation of its systems, networks, or assets would have a severe impact on national security, safety, and health. Efforts to protect the critical infrastructure of the HPH sector is coordinated at the national level through various public and private councils and information sharing organizations. LHDs are also interconnected with and interdependent on many other sectors, such as those responsible for water/wastewater, energy, transportation, critical manufacturing, and supply chain. Local public health is vital to the continued security and welfare of our nation, but relies heavily on technology to deliver services and is increasingly vulnerable to cyberattacks. Unfortunately, several factors inhibit optimal cybersecurity of local public health organizations.
First, the local public health departments are highly variable. The system is made of thousands of independent nodes, each providing services to the public using many different technological assets and levels of resources. Therefore, cybersecurity risk is not uniform and preparedness approaches need to be customized. Often, LHD technological assets are covered under broader jurisdiction-wide IT programs, contributing to a lack of focus on cyberthreats by LHD professionals. In addition to preparing for cybersecurity threats, in the wake of active shooter events, communities around the nation are examining their physical security postures. The implementation of increased physical security measures and practices across local governments, including LHDs, also add a layer of complexity as nearly all of these measures have some type of cyber element. In a challenging budget environment, often the physical security programs and cybersecurity programs are competing for the same limited funds. Additional efforts to further bring these two areas together and truly look at threats and risks across the enterprise would allow LHDs to maximize their limited funds. The enterprise view at the cyber-physical nexus would allow LHDs to analyze and determine true risks and determine which can be reduced and which need to be accepted.
Second, at the national level, investments in improving HPH sector cybersecurity have largely focused on healthcare entities and connected industry partners. Nearly all cybersecurity materials and tools produced at the national level focus on healthcare service providers – not LHDs. This omission is not surprising, as LHD cyberrisk is not as well understood as the risks to healthcare, nor is there a sufficient evidence base from which to develop LHD-focused cybersecurity policies and preparedness materials. Furthermore, for many years, representative organizations for public health were not adequately funded to participate in the national-level HPH sector cybersecurity efforts or to produce cybersecurity materials for LHDs.
Third, although there are Information Sharing Analysis Organizations/Centers (ISAO/ISAC), vital avenues for analysis and sharing of threat information, improving the overall cybersecurity posture of state, local, territorial, and tribal governments (e.g., multi-state information sharing analysis centers), there is no ISAO/ISAC focusing specifically on local public health cyberthreats. The missions of the two existing HPH sector ISAO/ISACs – Healthcare Ready and National Health Information Sharing and Analysis Center (NH-ISAC) – more closely align with the needs of healthcare entities and adjacent stakeholders, such as those involved with the medical supply chain. Though the U.S. Department of Health and Human Services (HHS) awarded a grant in 2016 to the NH-ISAC to help share information on cybersecurity and engage participation of healthcare and public health sector, very little effort appears to be focused on the cybersecurity concerns of LHDs.
Fourth, public health organizations, possibly overwhelmed by other, well-understood priorities, dedicate very little attention to cybersecurity. It is not often viewed as a priority or even considered at all.
Action Items for Improving Local Health Department Cyber Preparedness
Cyberattacks against local governments are becoming a new normal, yet the nation is not doing enough to prepare for and mitigate the risks to the local public health from such attacks. However, there are signs of change. Recently, the National Association of County and City Health Officials (NACCHO), the representative organization for LHDs, was funded by the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) to more fully participate in HPH sector cybersecurity efforts and to produce cybersecurity materials for public health departments. The 2018 Preparedness Summit’s closing plenary session – A Troubling Gap: Why Cyber Security Matters to Public Health Emergency Response – aims to help attendees classify potential cyberthreats and identify tactical strategies for responding to cyberattacks within their communities. Other thought leaders also advocate for improved public health cybersecurity preparedness, for example:
- The Cadmus Group has published several cyber-related articles, such as When Pandemic Management Meets Cybersecurity and Embrace the Cyber Security-Physical Security Nexus, which help raise awareness about cyberthreats to public health departments and governments.
- The American Public Health Association published Public Health Increasingly Facing Cybersecurity Threats: Health field a top target for attacks, presenting some of the risks encountered with a public health cyberattack.
- Cyber Georgia 2017, an annual convening of industry, academia, and government to examine cyberthreats presented the panel discussion Cybersecurity and Public Health, Emergency Preparedness and Response, which examined hospital and public health department preparedness for emergencies and simultaneous denial of service attacks.
- SGNL Solutions and LAR Consulting developed the Local Public Health Department Discussion Guide for Cybersecurity and are testing the prototype with public health professionals during a workshop at the 2018 Preparedness Summit.
These efforts, along with the leadership of the ASPR, demonstrate a large step toward improving local public health cyber preparedness. However, more can and should be done. Below is a list of action steps that can be taken by four key stakeholders involved in the public health system.
- Federal agencies:
- Recognize the distinction between the healthcare and public health components within the HPH sector, the vulnerability of local public health entities to cyberthreats, and the unique consequences of a cyberattack on the public health system;
- Provide resources to academic research institutions to conduct research to thoroughly understand the complex risk relationships between cybersecurity and local public health;
- Use research to develop evidence-based policy and practices to address this threat;
- Fund the development of local public health cyberthreat assessment tools;
- Develop future legislation and regulations that fully account for the interactions between cybersecurity and local public health;
- Advocate for and ensure appropriate representation of local public health entities on federal cyber working groups and federal cyber programs/projects; and
- Establish a public health ISAO/ISAC, or fund an existing ISAC, that is truly focused on coordinating, collaborating, and sharing vital physical threat and cyberthreat intelligence and best practices among local public health entities.
- Academic institutions:
- Conduct new research to thoroughly understand the cybersecurity risk of and consequences to local public health;
- Work with research funders, local public health practitioners, and evidence translation professionals to develop evidence-based practices and policies for cybersecurity; and
- Develop curricula to educate emerging public health professional of cyberthreats and mitigation techniques.
- National public health representative organizations:
- Coordinate with academia on research efforts and the development of evidence-based policy/practices;
- Assist with the development and dissemination of local public health cybersecurity needs assessments and tools;
- Advocate for the appropriate representation of local public health equities on federal cyber working groups and federal cyber programs/projects;
- Develop communication materials to raise awareness of cyberthreats to local public health; and
- Develop tools and resources to assist local public health entities in understanding cyberrisk and improving incident preparedness.
- State and local government agencies:
- Recognize and prioritize cybersecurity as a public health issue;
- Integrate cyber scenarios into public health training and exercise programs;
- Conduct cyberrisk vulnerability assessments or include public health in existing assessments;
- Understand the implications of the physical-cyber nexus and foster better coordination among IT security, physical security, and public safety/preparedness teams; and
- Develop cybersecurity-specific emergency operation procedures and contingency plans.
It is important to remember that preparedness is a journey, not a destination. These actions are not meant to be comprehensive but, as with many issues, cyberattacks threaten local public health and the people that depend on it. Although there will continually be new threats to address and manage, identifying and taking small but systematic and coordinated steps are necessary for preventing or mitigating the many potential public health consequences that could follow a cyberattack.