Matt Murren

How prepared are you for a cyberattack?

August 26, 2022
By Matt Murren

Cybersecurity threats to healthcare operations range from infamous ransomware programs like WannaCry to health system shutdowns due to infected emails to denial-of-service attacks, all of which interrupt continuity of patient care. The financial implications of these interruptions are massive. For over a decade, healthcare has been paying more than any other industry in the U.S. for data breaches, reaching an average of $9.23 million per incident in 2021.

How well is your private practice, ambulatory care center, or hospital currently defending against these threats? And once an attack occurs, how prepared are you to respond?

1. Do you have an updated map of your systems and their vulnerabilities?
To map a clinic or hospital’s operational systems and points of vulnerability, thinking beyond the EMS and billing/payment platform is crucial. For instance, Internet of Things (IoT) capabilities and remote technologies for patients hold great benefits for workflow and patient-centric care, but they also open up their organizations to new cybersecurity risks. Practices and hospitals may not immediately think of all of these tie-ins when they consider their obligation to protect patient and organizational data.

Every institution, from single-facility clinics to multisite health systems, should bring together experts from across the organization to prepare what’s called a “matrix of criticality”—a document that lists all of the systems used in normal business operations, including those governing the physical facility, and ranks them in terms of necessity and potential harm if compromised.

Understanding how various systems affect patient care is one goal of this interdisciplinary exercise; another is determining who uses each system so that they can be notified of alternative or failover systems in the case of an outage. A final goal is to identify who is responsible for securing these systems before a breach—and during recovery.

2. Are you keeping up with security updates?
Along with a map of its systems, organizations must get a clear sense of their capacity to protect them. If in-house IT personnel is too busy with daily tasks to keep up with the patches and security fixes issued intermittently by system manufacturers, the organization may need to enlist external resources to do so.

While monitoring vendor sites for system updates will help protect systems from attack, there are also measures practices can take before they bring on new technologies or add-ons to help lessen the burden on in-house IT. Contracts with new vendors can include expectations for the vendor’s ongoing security monitoring and compliance, for example. Contracts can also include provisions about shared liability in the event of a breach.

Cyber security standard IEC 80001-1 is a useful tool for any clinic, group practice, or hospital bringing on new remote capacities and technologies. The standard offers a specific but flexible framework for risk management of IT-networks incorporating medical devices, prompting hospitals to drill down and define the roles, responsibilities, and activities associated with each technology.

3. How comprehensive is your disaster recovery plan?
The Healthcare Insurance Portability and Accountability Act (HIPAA) requires that every healthcare organization in the country has a disaster recovery plan in place. All of these plans pay at least some attention to the risk of a cybersecurity attack or data breach alongside other sources of system downtime or outage.

The quality of these plans—and how effectively they are implemented—will vary from institution to institution. Lisa Pino, Director of the Office of Civil Rights for the Department of Health and Human Services, has urged healthcare organizations to improve the swiftness of their recovery by broadening their view of disaster: “All too often,” she writes, “we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis.”

4. Who knows about the plan? How will you communicate with patients and staff if an attack occurs?
In addition to understanding the likeliest targets of ransomware or the possible vectors of a denial-of-service attack, organizations will need to identify the backup or alternative systems they’ll turn to if those threats materialize. This aspect of planning must also include strategies for communication. IT staff can use the criticality matrix and disaster recovery plan to chart out their priorities in terms of system recovery, but facility leaders will need to determine what physician and patient users need to know about why a system is down—and exactly what to do (fall back on paper-based systems? Access a portal via a different web address?) until it’s back up and running.

5. Is your organization prepared to act together to move past a breach?
In dealing with a ransomware or other cyberattack, one of the most frequent pitfalls is a lack of staff coordination and patience.

Any appropriate, comprehensive disaster recovery plan will specify that the organization’s insurance carrier be contacted immediately in the event of an attack. (The insurance policy will also specify this outreach as a provision of its coverage.) The insurance carrier will assign a professional incident commander to the organization. That commander and his or her team should become the hub of all system recovery activity.

The reason for this is that the incident commander is uniquely positioned to balance different priorities—including balancing the demands of a criminal investigation (where the affected systems may hold important evidence of the attackers’ source and methods) vs. recovering systems as soon as possible. When individuals act outside of the incident team’s plan and schedule, they may end up harming the recovery more than they help.

Preparing for a cyberattack should be a routine part of job readiness in today’s healthcare landscape. Leaders of hospitals, ambulatory care centers, and private practices can minimize the risks to their patients and their bottom line if they are proactive in this area.

Just as cybercriminals adapt their strategies to new opportunities and weaknesses, so must healthcare organizations continually adapt to defend against these threats.

About the author: Matt Murren is the CEO of True North.