Department of Health and Human Services

RISK ASSESMENT OF THE HEALTH INDUSTRY
Name
Institution
Abstract
This research paper will explore the current security state of the health industry in America. First, I will attempt to identify critical infrastructure in the health sector and gauge their level of safety along with state of preparedness for any possible attacks. Next, the paper will explore the various “vulnerabilities that have been identified in the physical and digital safeguards” that are currently employed in the American healthcare sector. Furthermore, the research will seek to shed light on past experiences witnessed globally to try and identify the various methods through which people or organizations with ill intent may attack the U.S healthcare system. After analyzing the past and current situations, I will hope to use the knowledge gathered, along with the expertise of various experts in the field to propose possible deterrent measures that will seek to enhance the security situation in the major infrastructure of the U.S healthcare system.
Introduction
The health industry is one of the most critical sectors of any economy. As experts note, any threat to this important area will probably cripple the rest of society, with civilization quickly descending into anarchy. Currently, the healthcare industry in America lags well behind regarding the securing critical facilities from threats of all kinds. For instance, in 2016, we have witnessed large-scale attacks on the IT systems that have only proved what was long feared; that this sector that is intertwined with our well-being is exposed to assault by persons with ill intent (Ameen, Liu, & Kwak, 2012).

What is more worrying is that we live in an age of global terrorism, with these organizations gaining a foothold, both domestically and globally. Furthermore, the war on the internet is also being lost, with hackers getting away with troves of critical data on patients and healthcare facilities.
While other sectors of the economy are fortifying their infrastructure, both physical and digital, the health industry lags well behind, with staff ill-trained on detection, prevention and on how to handle dangerous situations. Indeed, the worry is that any person, whatever their motives are can easily access critical data, get into many healthcare facilities without much as a cursory inspection and background check. Due to the high numbers of rushed entries, hospitals are quite vulnerable to rapid attacks by large groups or even lone ranger attacks by persons posing as patients (Tully, 2010). This research paper hopes to establish possible measures to combat these threats.
Scope of the sector
The healthcare system in the U.S is one of the largest in the country, in regards to the number of personnel and customers, the size of infrastructures and the sheer number of money spent annually in this vital sector. According to Dan Munro of the Forbes, spending in this area has peaked at around $3.8 trillion annually. In fact, it has been theorized that by the year 2020, healthcare will account for about 20% of the nation’s GDP (Gross National Product). The spending trends can be clearly seen in the graph below

Furthermore, data from Gallup shows that in the last decade, in the U.S there were 38.4 visits per 100 persons in 2010 to the emergency section of hospitals alone. However, the data provided does now account for the inpatient section, staff and other relevant people who visit healthcare facilities often. The statistics highlight the enormous number of individuals who are in a health facility at any given time.
In the United States, many health care facilities are privately owned, although many others are run by the national, state and county authorities and religious groups among many others. For example, in November 2005: London Metropolitan Police apprehended two terrorism suspects who were plotting a bomb attack and one of the suspects was in possession of a note saying “Hospital=Target.” What causes concern is that some of the largest facilities are run by the national government or religious groups, and this makes them prime targets for anti-American organizations or groups that oppose a particular religion that facilitates a healthcare facility. Indeed, hospitals such as the New York-Presbyterian Healthcare System in the state of New York may be targeted by Islamic groups such as the Al-Qaeda simply due to their religious affiliation.
In every state and county in the United States, there are numerous healthcare facilities that at any given time have patients, caregivers and other people in them. Thus, any party with ill intentions will be “spoilt for choice” when identifying potential targets for staging attacks. In the U.S many labs contain dangerous strains and pathogens, which if attacked and overrun, could pose serious threats to humanity.
For example, there are many CDC “Center for Disease Control and Prevention” nationwide, ranging from the “headquarters in Druid Hills,” “Georgia to Arlen Specter Headquarters” and “Emergency Operations Center.” More so, some of the largest hospitals in the world, in regards to staffed beds, are in the United States. Some of these include the Hospital Corporation of America in Nashville, Tennessee with a total of 35,245 beds, the Tenet Healthcare in Dallas, Texas with around 17,605 beds and the Catholic Health Initiatives in Denver that can accommodate around 14, 500 patients. In fact, these are only a fraction of the numerous healthcare facilities in the country.
Threats – Reviewing the risks associated with this sector including past attacks and incidents
The threats that the healthcare industry faces are many and of a diverse nature. Attacks range from, direct attacks by armed shooters or suicide bomber, covert attacks by chemical or biological agents to the emerging threats posed by cyber-criminals. Another threat that is prevalent to the United States and that cannot be ignored is the prevalence of lone ranger attacks in the form of mass shootings. For instance, the U.S accounts for roughly 31% of all mass shootings in the world, despite accounting for about 5% of the global population. This research paper will explore various attacks and how badly they may cripple the sector regarding lives lost and infrastructure that may be destroyed in the attacks. Some of these include;
Direct/conventional attacks
A method favored by organizations that practice extremist religious ideologies. Groups such as the so-called Islamic State (ISIS), Al-Qaeda and the Taliban have previously stated their intentions to carry out attacks on U.S soil. Attacks using assault rifles and other assorted light weapons such as hand grenades and rockets are likely to cause substantial losses regarding human life lost. What is worrying is that in the U.S, due to lax regulations, such weapons are easy to acquire and stockpile in relatively large quantities. With the current influx of immigrants, a terrorist posing as an asylum seeker can easily infiltrate our borders with the intent and ability to carry out these attacks to devastating conclusions.
Furthermore, if the past has shown anything, some radical elements favor attacking hospital and health installments due to the ease with which they can get in. More so, the large number of infirm hostages who can barely fight them off, and the ability to steal sensitive chemicals and biological agents are attractive propositions. The Budyonnovsk hospital hostage crisis, in Russia, only served to show what a group of lightly armed fighters can accomplish by attacking such facilities (Pelto, 2010). In fact, the ability of the Chechen separatists to force a ceasefire with the Russian government may only have served to embolden potential attackers who may feel that this is the only way to negotiate with the American government.
Use of chemical or biological agents
Some attackers may choose to employ more covert attacks on healthcare facilities after accessing stockpiles of chemical agents and biological pathogens that have been weaponised. Chemical agents such as sarin, chlorine, and mustard gas are highly lethal, and their fatality rates are very high. Some weaponised biological strains may include the plague, anthrax, and Ebola are highly contagious and very hard to contain (Trufanov, Rossodivita, & Guidotti, 2010). Indeed, with some global terrorist close to acquiring these weapons from failed governments’ stockpiles, from rogue governments or their corrupt agents, their ability to mount these attacks only increases by the day. For example, a terrorist organization such as the ISIS can ultimately gain these weapons from the stockpiles left unguarded after the toppling of Libyan dictator Muammar Gadhafi or maybe steal them after overrunning government installations in the Syrian conflict.
Furthermore, by attacking labs such as the CDC or manufacturing their stocks, some domestic attackers can utilize these agents to attack health installations. Indeed, a covert attack can easily go undetected because some agents are not easily detected. A pathogen such as Ebola is highly contagious, and any attacker can infect medical personnel to ensure a quick exposure to the visiting public (Govil & Govil, 2015). In fact, an attacker can easily pose as a patient, medical staff or a visitor to quickly gain access to a health care facility and in the process initiate a deadly attack on the public.
Cyber attacks
One of the newly emerging but dangerous threats facing the healthcare industry in the United States is attacks by cyber criminals. In fact, statistics from the last few years paint a grim picture in regards to cybersecurity in the health industry. For instance, the year 2015, numerous data breaches and cyber-attacks were witnessed, with health companies losing millions of patient details, money, and other valuable data. With hospitals moving to digital platforms such as the ERS, cyber-attacks on the health industry are only beginning to take root, with devastating results. In fact, the IBM, in its 2015 Cyber Security Intelligence Index stated that “2015 the year of the healthcare breaches” (Tanenbaum & Practicing Law Institute, 2015).
With increasing effectiveness, criminals have taken advantages of the weak security employed by the health care industry crippling essential systems in the health sector. For example, the Hollywood Presbyterian Medical Center in California was attacked by ransomware and malware, which crippling its computer network and forcing the hospital to switch to depend on fax machines and paper records for over a week (Tanenbaum & Practicing Law Institute 2015).
Vulnerabilities in the security of the American health industry
Due to many long-standing and emerging issues, the American health industry, for a long while has been left vulnerable to many forms of attacks that could bring this vital sector to a standstill. For instance, lax security at many healthcare facilities is an issue that has not been addressed even after terrorist attacks on U.S soil (Tully, 2010). Furthermore, employers at these facilities, be it the national, state and county governments or the private owners, have failed to properly improve staff awareness to potential terrorist attacks and to equip with the right knowledge to identify potential perpetrators (Govil & Govil, 2015). More so, the lack of physical barriers that protect the critical health infrastructure has only served to enhance the unwanted reputation of being soft targets for potential attacks. Finally, this research has shown that many healthcare IT systems are poorly secured from any cyber-attacks hence the huge breaches witnessed recently.
Consequences – Review the effects associated with this sector if an attack or accident were to occur
Sadly, if the past is anything to go by, possible consequences of these vulnerabilities are too grim to imagine. Some experts have in fact issued doomsday warnings if some of these attacks occur. The quick loss of life in the case of a suicide bomb or gun attacks will be significant, with hospitals harboring hundreds of people at any given moment. More so, other factors such as the number of attackers, weapons, and tactics used can vary, leading to even more people being killed (Trufanov, Rossodivita, & Guidotti, 2010). More so, the damage on the healthcare facilities will be tremendous with losses running into millions of dollars in damages. Furthermore, there can be a loss of sensitive material such as pathogens and radioactive substances, which can be used to engineer further attacks or prevent a quick response (Sarkani, Mazzuchi & Young-McLear, 2015).
For instance, if a lab facility like the CDC were attacked, highly dangerous strains of doomsday diseases would quickly spread and wipe out a good percentage of the unknowing population. In a world connected by mass transport systems such as air travel and railways, spreading of pathogens is child’s play. Indeed, some deadly contagions such as Ebola, which quickly spreads through any contact with bodily fluids, such as sweat, can spread all over the globe under 48 hours (Galatas, 2013). The loss of life if not quickly dealt with, can easily match previous extinction level events.
On the other hand, cyber-attacks have threatened to cripple any operations taking place in healthcare facilities. With many critical functions depending on IT infrastructure, loss of life can be witnessed with critical life support machines failing. Furthermore, vital patient data such as social security numbers can be stolen and used to steal their identities and to harass them (Ameen, Liu & Kwak, 2012). Finally, hackers can and indeed have, stolen money from healthcare facilities, and this can easily ground operations due to lack of finances. Indeed, there are much more terrible implications that face the health industry, with any of them threatening to cripple this important sector entirely.
Risk Assessment
After analyzing the available data, experiences from past events and predicted outcomes, the security state of the health industry paints a grim picture. With threats ranging from; suicide and car bombs, dangerous pathogens and lethal chemicals to computer hackers with ill intent, the healthcare industry is yet to comprehend the dangers it faces entirely. Many healthcare facilities are admitting visitors to their premises without as much as a quick frisking. Furthermore, the staffs at these facilities are poorly or in many cases, not trained to identify potential threats such as personnel impersonation.
Furthermore, the lack of physical inspections and barricades at the entrance to most hospitals increases the chances of car bomb attacks. In regards to cyber security, many hospital computer networks lack even the most basic firewalls. Without these penetration detectors, the healthcare sector’s IT infrastructure has been exposed to all kind of cyber threats, from ransomware, phishing, and computer hijack (Appari & Johnson, 2010). This research shows that very few healthcare facilities have enforced regulatory recommendations in regards to physical and online security
Recommendations
Through utilization of experiences gained from past events, government reports, and various expert opinion, this research has proposed different measures be undertaken to enhance and ensure the security of America’s healthcare facilities. Some of these recommendations are both short term and long term and will require investment regarding financial and human capital. They include;
A complete assessment of Security/Risk Management Plans to identify potential threats, their nature, and any available preventive measures. By taking these steps, every healthcare facility will be able to determine the various vulnerabilities in their security and the most efficient method of dealing with these gaps. For instance, a lab facility that stores dangerous pathogens should be fortified, with deep underground storages that are accessible to few officials who use their biometric data to gain access (Cooper, 2006). Furthermore, other containment measures such as quick reaction forces, which will immediately neutralize attackers, should be put in place to ensure maximum security.
Ensure staff education to ensure awareness of potential attacks. By fully informing the personnel on relevant policies and guidelines, healthcare facilities will make sure that their employees are adequately prepared to handle potential attackers and able to identify them before they carry out these activities Bliss, Hristovski, & Ulrich, 2013). Furthermore, physical security of these structures should be reinforced, with the erections of physical deterrents such as walls and security checkpoints. By enforcing these safety measures, health facilities will be better equipped to prevent and limit potential life loss caused by terror attacks. In regards to threats from the cyber criminals and terrorist, healthcare IT systems should enforce government regulations in regards to cyber security, ensure vigilance and report potential threats to relevant authorities (Das, Kant, & Zhang, 2012)
Finally, public funding for the safety of this critical sector should increase by a huge percentage, with the money going to the construction of secure structure, training of staff, installation of detection systems among many other detective and preventive measures (Sarkani, Mazzuchi & Young-McLear, 2015). Furthermore, in conjunction with relevant agencies, critical healthcare facilities and infrastructure should be placed under armed guard, ready to deal with potential attackers.
References
Al Ameen, M., Liu, J., & Kwak, K. (2012). “Security & privacy issues in wireless sensor networks for healthcare applications.” Journal of medical systems, 36(1), 93-101.
Appari, A., & Johnson, M. E. (2010). “Information security and privacy in healthcare: current state of research. International Journal of Internet & Enterprise Management”, 6(4), 279-314.
Bliss, M. M., Hristovski, K. D., & Ulrich, J. W. (January 01, 2013). “Compliance of community hospitals with the Chemical Facility Anti-Terrorism Standards (CFATS) in the western United States.” Journal of Homeland Security and Emergency Management
Cooper, M. (2006). “Pre-empting Emergence the Biological Turn in the War on Terror.” Theory, Culture & Society, 23(4), 113-135.
Das, S. K., Kant, K., & Zhang, N. (2012). Handbook on securing cyber-physical critical infrastructure. Waltham, MA: Morgan Kaufmann.
Galatas, I. (January 01, 2013). CBRN planning in the urban environment. Crisis Response Journal.
Govil, T., & Govil, J. (January 01, 2015). Health Information Technology/Biodefense Needs to Fight Bio-Terrorism.
Pelto, C. (January 01, 2010). Code Black: Hospitals as terrorist targets. Journal of Counterterrorism & Homeland Security International.
Sarkani, S., Mazzuchi, T. A., & Young-McLear, K. A. (January 01, 2015). Large-Scale Disaster Response Management.
Tanenbaum, W. A., & Practicing Law Institute, (2015). Healthcare IT 2015: Critical issues.
Trufanov, A., Rossodivita, A., & Guidotti, M. (2010). Pandemics and Bioterrorism: “Trans-disciplinary information sharing for decision-making against biological threats.” Amsterdam: IOS Press.
Tully, T. (January 01, 2010). Hospital emergency planning: Hospitals qualify as critical infrastructure. Domprep Journal.