AAOS Now

Published 12/20/2023
|
Nkem Egekeze, MD

Risks in the Age of AI: Protecting Surgeons with Lessons from Financial Service and Cybersecurity

In early 2023, executives from Bank of America, Citigroup, Goldman Sachs, and JP Morgan Chase made the decision to ban third-party generative artificial intelligence (AI) tools. Multiple employees reported that generative AI tools collected sensitive data and leaked data randomly to users of the AI platform. The finance executives acted swiftly, as the data leaks created risks to customer trust issues, future revenue, intellectual property, and regulatory compliance.

Considering these issues, should orthopaedic surgeons ban similar generative AI platforms to prevent future leaks of health data? This article will provide insights on cybersecurity concerns, landmark cybersecurity events, costs of cybersecurity breaches, and cybersecurity challenges for orthopaedics.

Cybersecurity strategy concerns
In 2020, the Health Care Industry Cybersecurity (HCIC) Task Force evaluated cybersafety in healthcare and issued a report to Congress. At that time, there was limited information on healthcare cybersecurity strategies, and the report provided insights on present and future challenges. Five key insights from that report are:

  1. Ransomware disproportionately impacts the healthcare industry.
  2. Healthcare lags other industries on detecting, preventing, and mitigating cyberattacks.
  3. Seventy percent of surveyed hospitals experienced a “significant security incident” due to email phishing. The incidents resulted in disruption of information technology (IT) operations (28 percent), disruption in business functions (25 percent), data breaches (21 percent), and financial losses (20 percent).
  4. Cybersecurity is underprioritized by most healthcare organizations due to competing priorities, leading to limited cybersecurity staff, training, and financial resources.
  5. Healthcare organizations spend 5 percent of their IT budgets on cybersecurity, though cybersecurity challenges may be the most likely cause of future business risks and costs.

The HCIC report provided a solid framework for investigations into cyber events in the United States and internationally in locations such as Ireland.

Landmark cybersecurity event
In 2021, there was a cyberattack on Health Service Executive (HSE), the public healthcare system of Ireland. The cyberattack resulted in more than $100 million in health system costs, primarily due to lost revenue from the downtime related to the attack. Of note, included in the HSE shutdown was the national registry for orthopaedic conditions, known as the Irish National Orthopaedic Register. The Irish National Orthopaedic Register collects orthopaedic outcome data, similar to AAOS’ American Joint Replacement Registry.

Researchers believe the ransomware gained entry to the system through phishing emails. Once system entry was gained, all data were then locked from the healthcare staff. Of note, the issues occurred despite large sums of money spent on cybersafety measures, disaster recovery, and business continuity plans.

Cost and timeline of a cybersecurity breach
In 2020, IBM provided one of the first reports on cyber incident response time of healthcare organizations. Of note, the report found that health facilities take an average of 236 days to detect a data breach and 93 days to mitigate damage from a breach. Both the days to detect a data breach and the days to mitigate a breach are longer than most other industries. Some of the reasons for response delays relate to limited education and communication on identifying cybersecurity risks.

Response delays result in health organizations paying more money than other industries to resolve cyber-related threats. For instance, IBM noted that healthcare had the highest cost of a data breach, with an average cost of $9.23 million per incident. Research suggests that a 10-person orthopaedic practice may lose more than $3 million in revenue during a 93-day downtime to mitigate issues.

Challenges and recommendations in orthopaedics
Cybersecurity concerns have been growing in regard to 3D printing of customized implants. Research suggests that cyber vulnerabilities exist when 3D printing is outsourced for design, prototyping, and production in high-volume manufacturing facilities. For instance, cyberattacks can lead to changes in printing orientation, which may cause structural defects in devices and compromise patient safety.

Regarding intellectual property theft, researchers are concerned that cloud-based file sharing, Wi-Fi, and email servers used by clinicians can be targeted by hackers interested in gaining access to sensitive data. Considering this, a cybersecurity strategy is critical to protect patient safety, reduce surgeon liability, and prevent lost revenue.

There are several steps that orthopaedic surgeons can take to protect themselves from cybersecurity threats:

  1. Restrict the use of generative AI tools, which have a history of leaking sensitive data.
  2. Collaborate with legal counsel, cybersecurity experts, and vendors to assess intellectual property vulnerabilities and customize solutions.
  3. Each year, inform executives about what their roles and responsibilities are during a cybersecurity event.
  4. Implement multifactor authentication to protect critical business and patient data.
  5. Review the terms and conditions for generative AI platforms considered for use by the organization.

Nkem Egekeze, MD, is a board adviser, physician-scientist, and founder of a research service. He provides insights on emerging trends at the intersection of healthcare, finance, and AI safety.

References

  1. Cawley C: Companies Banning AI Platforms Like ChatGPT in 2023. Available at: https://tech.co/news/tech-companies-banning-generative-ai. Accessed July 12, 2023.
  2. Lomas N: ChatGPT-maker OpenAI accused of string of data protection breaches in GDPR complaint filed by privacy researcher. Available at: https://techcrunch.com/2023/08/30/chatgpt-maker-openai-accused-of-string-of-data-protection-breaches-in-gdpr-complaint-filed-by-privacy-researcher/. Accessed July 23, 2023.
  3. Business Wire: An Alarming 85% of Organizations Using Microsoft 365 Have Suffered Email Data Breaches, Research by Egress Reveals. Available at: https://www.businesswire.com/news/home/20210511005132/en/An-Alarming-85-of-Organizations-Using-Microsoft-365-Have-Suffered-Email-Data-Breaches-Research-by-Egress-Reveals. Accessed August 20, 2023.
  4. Bloomberg Technology: The Cybersecurity Risks of Generative AI and ChatGPT. Available at: https://www.bloomberg.com/news/videos/2023-03-21/the-cybersecurity-risks-of-generative-ai-and-chatgpt-video. Accessed July 28, 2023.
  5. Health Care Industry Cybersecurity Task Force: Report on Improving Cybersecurity in the Health Care Industry. Available at: https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf, Accessed July 2, 2023.
  6. HHS Cybersecurity Program: Lessons Learned from the HSE Cyberattack. Available at: https://www.aha.org/system/files/media/file/2022/02/hhs-ocio-hc3-tlp-white-threat-brief-lessons-learned-from-the-hse-attack-2-3-22.pdf. Accessed June 20, 2023.
  7. Cullen P. Cyberattack: HSE faces final bill of at least $100M. Available at: https://www.irishtimes.com/news/health/cyberattack-hse-faces-final-bill-of-at-least-100m-1.4577076. Accessed July 22, 2023.
  8. Skahill E, West DM: Why hospitals and healthcare organizations need to take cybersecurity more seriously. Available at: https://www.brookings.edu/articles/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/. Accessed July 31, 2023.
  9. Logan M, Mendoza E, Maglaque R, et al: The State of Ransomware: 2020’s Catch-22. Available at: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-state-of-ransomware-2020-s-catch-22. Accessed August 24, 2023.
  10. IBM Security: Cost of a Data Breach Report 2020. Available at: https://www.ibm.com/downloads/cas/RZAX14GX. Accessed August 30, 2023.
  11. IBM Cloud: Cost of a Data Breach: A View from the Cloud. Available at: https://www.ibm.com/downloads/cas/JDALZGKJ. Accessed June 4, 2023.
  12. Di Fiore A: 3D Printing Gives Hackers Entirely New Ways to Wreak Havoc. Available at: https://hbr.org/2017/10/3d-printing-gives-hackers-entirely-new-ways-to-wreak-havoc?ab=at_art_art_1x4_s01. Accessed August 30, 2023.
  13. Sertoglu K: How to Combat Cybersecurity Risk in the 3D Printing Industry. Available at: https://3dprintingindustry.com/news/interview-how-to-combat-cybersecurity-risks-in-the-3d-printing-industry-191466/. Access date: August 31, 2023.
  14. Azhar A: Cybersecurity in the Age of AI. Available at: https://hbr.org/podcast/2019/12/cybersecurity-in-the-age-of-ai. Accessed August 2, 2023.