WMA Statement on Cyber-Attacks on Health and Other Critical Infrastructure

Adopted by the 67^th World Medical Assembly, Taipei, Taiwan, October 2016 

PREAMBLE

• Advancements in modern information technology (IT) pave the way for improvements in healthcare delivery and help streamline physician workflow, from medical record keeping to patient care. At the same time, implementing new and more sophisticated IT infrastructure is not without its challenges and risks, including cyber-attacks and data breaches.

• Cyber security threats are an unfortunate reality in an age of digital information and communication. Attacks on critical infrastructure and vital assets of public interest, including those used in the fields of energy, food and water supply, telecommunications, transportation and healthcare, are on the rise and pose a serious threat to the health and well-being of the general public.

• With the proliferation of electronic medical records and billing systems, the healthcare sector is especially susceptible to cyber intrusions and has become a prime soft target for cyber criminals. Healthcare institutions and business partners, from the smallest of private practices to the largest of hospitals, are vulnerable not only to the theft, alteration and manipulation of patients’ electronic medical and financial records, but also to increasingly sophisticated system breaches that could jeopardise their ability to provide care for patients and respond to health emergencies. Especially disconcerting is the threat posed to a patient’s fundamental right to data privacy and safety. In addition, repairing the damage caused by successful cyber-attacks can entail significant costs.

• Patient data also demands protection because it often contains sensitive personal information that can be used by criminals to access bank accounts, steal identities, or obtain prescriptions illegally. For this reason, it is worth far more on the black market than credit card information alone. Alterations to or abuse of patient data in the case of a breach can be detrimental to the health, safety and material situation of patients. In some cases, breaches can even have life-threatening consequences.

• Current security procedures and strategies in the healthcare sector have generally not kept pace with the volume and magnitude of cyber-attacks. If not adequately protected, hospital information systems, practice management systems or control systems for medical devices can become gateways for cybercriminals. Radiology imaging software, video conferencing systems, surveillance cameras, mobile devices, printers, routers and digital video systems used for online health monitoring and remote procedures are just some of the many IT structures at risk of being compromised.

• Despite this danger, many healthcare organisations and institutions lack the financial resources (or the will to provide them) and the administrative or technical skills and personnel required to detect and prevent cyber-attacks. They may also fail to adequately communicate the seriousness of cyber threats both internally and to patients and external business partners.

RECOMMENDATIONS

1. The WMA recognises that cyber-attacks on healthcare systems and other critical infrastructure represent a cross-border issue and a threat to public health. It therefore calls upon governments, policy makers and operators of health and other vital infrastructure throughout the world to work with the competent authorities for cyber security in their respective countries and to collaborate internationally in order to anticipate and defend against such attacks.
2. The WMA urges national medical associations to raise awareness among their members, health care institutions and other industry stakeholders about the threat of cyber-attacks and to support an effective, consistent healthcare IT strategy to protect sensitive medical data and to assure patient privacy and safety.
3. The WMA underscores the heightened risk of cyber intrusions and other data breaches faced by the healthcare sector and urges medical institutions to implement and maintain comprehensive systems for preventing security breaches, including but not limited to providing training to ensure employee compliance with optimal data handling practices and to maintain security of computing devices. 
4. In the event of a data security breach, healthcare institutions should have proven response systems in place, including but not limited to notifying and offering protection services to victims and implementing processes to correct errors in medical records that result from malicious use of stolen data. Data breach insurance policies could be considered as a precautionary measure for defraying the costs associated with a potential cyber intrusion.
5. The WMA calls upon physicians, as guardians of patient safety and data confidentiality, to remain aware of the unique challenge cyber-attacks could pose to their ability to practice their profession and to take all necessary measures that have been shown to safeguard patient data, patient safety and other vital information.
6. The WMA recommends that undergraduate and postgraduate medical education curricula include comprehensive information on how physicians can use modern IT and electronic communications systems to full advantage, while still ensuring data protection and maintaining the highest standards of professional conduct.
7. The WMA acknowledges that physicians and healthcare providers may not always have access to the resources (including financial), infrastructure and expertise required to establish fail-safe defence systems and stresses the need for the appropriate public as well as private bodies to support them in overcoming these limitations.