Jon Moore
Ensuring patient safety and business continuity: Healthcare leaders' guide to managing ransomware attacks
April 03, 2023
By Jon Moore
Ransomware continues to be a plague on the healthcare sector. Recent headlines illustrate that our hospitals, whether large or small, are not safe from criminal organizations willing to profit through extortion.
Effectively planning for and responding to a ransomware attack requires a holistic approach. All departments of a hospital may be impacted by an attack, and all must be prepared to respond.
Patient safety comes first
The first concern during a ransomware incident should be patient safety. Your organization should immediately activate its emergency protocols and, if necessary, business continuity plan.
Often communications systems are compromised in the attack. Therefore, your organization will need to be prepared to establish alternative communication channels to facilitate communications with stakeholders.
If the EHR and other clinical systems are offline, your organization will need to switch to paper. It is becoming increasingly difficult and risky for hospitals to switch to paper. Staff, particularly those newer to the field, are not always familiar with the use of paper charts. Also, particularly during shift changes, there is a chance information is lost with significant potential consequences for patients.
It is particularly important that staff verify patient information. They will need to be extra cautious in verifying identities, history, medication records, and other information that may not be otherwise available or captured fully and accurately.
Because of the extra time and attention needed, it is important to focus first on your most at-risk patients. The organization will need to prioritize patient care and reschedule non-urgent appointments if necessary.
Even still the organization may be overwhelmed, and it may be necessary to coordinate care with other facilities. The organization should be prepared to collaborate with nearby hospitals, clinics, or healthcare providers to ensure continuity of care for patients who may need to be transferred or redirected to other facilities.
Leadership will need to keep staff informed about the situation. They will also need to be prepared to provide guidance on any temporary procedures or safety measures they should follow during the recovery process.
Given the elevated risk to patient safety, the team will need to closely monitor patients for any signs of complications or adverse events that may arise from disruptions in care or changes in treatment plans.
The staff should be particularly sensitive to any apparent glitches or unusual behavior in systems or networked medical devices that remain up and running. They will need to be prepared to escalate any concerns or issues to the appropriate people. Taking these systems offline if they are impacted by the incident may be necessary. Doing so before they impact patient safety is critical.
IT, security, and clinical engineering response
While the clinical team scrambles to address patient safety, the IT, IT security, and Clinical Engineering Teams need to be in active response mode.
There are several models that your organization may follow to prepare and respond to an incident. These models have different structures and terminologies, but they generally share the common goal of helping organizations prepare for, detect, respond to, and recover from cybersecurity incidents.
First, it is critical that your organization plan for an incident before it occurs. This includes conducting a business impact analysis (BIA) to understand the organization's critical business processes and system dependencies. The output of the BIA should become an input into incident, disaster, and business continuity plans.
Planning alone of course is not sufficient, the organization needs to build the capability to execute the plans and test them to make sure that they are sufficient and effective.
Next, your organization should be monitoring its environment so that an incident is identified early. This includes monitoring system logs, traffic, endpoint activity, and monitoring security devices like firewalls 24 hours a day, seven days a week.
When an incident is identified, your organization will need to contain the incident, eradicate the threat, and recover your systems and devices. The speed and ability with which this can be accomplished determine in large part the scale of the incident’s impact and the ultimate cost to your organization.
Leadership response
It is more important than ever that your organization’s leadership team is organized and active during the incident response. This team may include the CEO or COO, CIO, CISO, CMO, CNO, CCO, Legal Counsel, Communications Director, and potentially department heads.
They will need to be prepared to make decisions during the incident. For example, they will need to prioritize the response, balancing the need to protect critical assets, ensure business continuity, maintain patient and employee safety, and uphold patient trust.
An effective response requires that leadership communicate effectively. The team leading the response will need to make decisions on what information to convey, when to convey it, how to convey it, and to whom. The need to establish clear lines of communication and avoid conflicting information is critical.
Aligning communications and effort requires coordination across teams. The leadership team will need to make sure that everyone is on the same page during the response and working toward a common set of goals and objectives.
Understanding and managing the risk to your organization should be a key consideration in identifying those goals and objectives. This might include everything from deciding whether to pay the ransom to determining what systems to shut down in response to the incident.
It is common that an organization will need to engage third parties during the response. The leadership team will need to be prepared to quickly identify and, when necessary, contract with these resources. This might include, for example, law enforcement, media, cybersecurity forensics, ransomware negotiators, and IT support.
As decisions are made and the plan executed, the leadership team should monitor progress by getting regular updates from across the organization. It is important that they stay informed, adjust the response as necessary, and continue to communicate effectively.
Final thoughts
After your organization recovers, your work is not done. The teams should conduct a post-incident review to identify lessons learned, determine the effectiveness of their incident response, and identify areas for improvement. This may involve updating the incident response policy and plan, revising security policies and procedures, improving security posture, providing additional training to staff, and ultimately improving the resiliency of your organization. The leadership team should make sure these things happen.
This is critical as the leadership team will also need to restore trust with the organization’s stakeholders. This will require transparency about the incident, demonstrating accountability, outlining the steps that will be taken in response to the incident, and reporting on progress toward those steps as the organization makes changes.
The days of relying on IT alone to respond to a cyber incident are over. Ransomware has changed the game. A holistic approach to response is required. Organizations need to make the investment of time and money necessary to mitigate the risk to their patients as well as their future financial health before an incident happens.
About the Author: Jon Moore is senior vice president & chief risk officer at Clearwater. He is an experienced professional with a background in privacy and security law, technology and healthcare. During an eight-year tenure with PricewaterhouseCoopers (PwC), Moore served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. Among the major federal clients supported by Moore and his engagements are the National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Indian Health Service (IHS), Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF). Moore holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.
Ransomware continues to be a plague on the healthcare sector. Recent headlines illustrate that our hospitals, whether large or small, are not safe from criminal organizations willing to profit through extortion.
Effectively planning for and responding to a ransomware attack requires a holistic approach. All departments of a hospital may be impacted by an attack, and all must be prepared to respond.
Patient safety comes first
The first concern during a ransomware incident should be patient safety. Your organization should immediately activate its emergency protocols and, if necessary, business continuity plan.
Often communications systems are compromised in the attack. Therefore, your organization will need to be prepared to establish alternative communication channels to facilitate communications with stakeholders.
If the EHR and other clinical systems are offline, your organization will need to switch to paper. It is becoming increasingly difficult and risky for hospitals to switch to paper. Staff, particularly those newer to the field, are not always familiar with the use of paper charts. Also, particularly during shift changes, there is a chance information is lost with significant potential consequences for patients.
It is particularly important that staff verify patient information. They will need to be extra cautious in verifying identities, history, medication records, and other information that may not be otherwise available or captured fully and accurately.
Because of the extra time and attention needed, it is important to focus first on your most at-risk patients. The organization will need to prioritize patient care and reschedule non-urgent appointments if necessary.
Even still the organization may be overwhelmed, and it may be necessary to coordinate care with other facilities. The organization should be prepared to collaborate with nearby hospitals, clinics, or healthcare providers to ensure continuity of care for patients who may need to be transferred or redirected to other facilities.
Leadership will need to keep staff informed about the situation. They will also need to be prepared to provide guidance on any temporary procedures or safety measures they should follow during the recovery process.
Given the elevated risk to patient safety, the team will need to closely monitor patients for any signs of complications or adverse events that may arise from disruptions in care or changes in treatment plans.
The staff should be particularly sensitive to any apparent glitches or unusual behavior in systems or networked medical devices that remain up and running. They will need to be prepared to escalate any concerns or issues to the appropriate people. Taking these systems offline if they are impacted by the incident may be necessary. Doing so before they impact patient safety is critical.
IT, security, and clinical engineering response
While the clinical team scrambles to address patient safety, the IT, IT security, and Clinical Engineering Teams need to be in active response mode.
There are several models that your organization may follow to prepare and respond to an incident. These models have different structures and terminologies, but they generally share the common goal of helping organizations prepare for, detect, respond to, and recover from cybersecurity incidents.
First, it is critical that your organization plan for an incident before it occurs. This includes conducting a business impact analysis (BIA) to understand the organization's critical business processes and system dependencies. The output of the BIA should become an input into incident, disaster, and business continuity plans.
Planning alone of course is not sufficient, the organization needs to build the capability to execute the plans and test them to make sure that they are sufficient and effective.
Next, your organization should be monitoring its environment so that an incident is identified early. This includes monitoring system logs, traffic, endpoint activity, and monitoring security devices like firewalls 24 hours a day, seven days a week.
When an incident is identified, your organization will need to contain the incident, eradicate the threat, and recover your systems and devices. The speed and ability with which this can be accomplished determine in large part the scale of the incident’s impact and the ultimate cost to your organization.
Leadership response
It is more important than ever that your organization’s leadership team is organized and active during the incident response. This team may include the CEO or COO, CIO, CISO, CMO, CNO, CCO, Legal Counsel, Communications Director, and potentially department heads.
They will need to be prepared to make decisions during the incident. For example, they will need to prioritize the response, balancing the need to protect critical assets, ensure business continuity, maintain patient and employee safety, and uphold patient trust.
An effective response requires that leadership communicate effectively. The team leading the response will need to make decisions on what information to convey, when to convey it, how to convey it, and to whom. The need to establish clear lines of communication and avoid conflicting information is critical.
Aligning communications and effort requires coordination across teams. The leadership team will need to make sure that everyone is on the same page during the response and working toward a common set of goals and objectives.
Understanding and managing the risk to your organization should be a key consideration in identifying those goals and objectives. This might include everything from deciding whether to pay the ransom to determining what systems to shut down in response to the incident.
It is common that an organization will need to engage third parties during the response. The leadership team will need to be prepared to quickly identify and, when necessary, contract with these resources. This might include, for example, law enforcement, media, cybersecurity forensics, ransomware negotiators, and IT support.
As decisions are made and the plan executed, the leadership team should monitor progress by getting regular updates from across the organization. It is important that they stay informed, adjust the response as necessary, and continue to communicate effectively.
Final thoughts
After your organization recovers, your work is not done. The teams should conduct a post-incident review to identify lessons learned, determine the effectiveness of their incident response, and identify areas for improvement. This may involve updating the incident response policy and plan, revising security policies and procedures, improving security posture, providing additional training to staff, and ultimately improving the resiliency of your organization. The leadership team should make sure these things happen.
This is critical as the leadership team will also need to restore trust with the organization’s stakeholders. This will require transparency about the incident, demonstrating accountability, outlining the steps that will be taken in response to the incident, and reporting on progress toward those steps as the organization makes changes.
The days of relying on IT alone to respond to a cyber incident are over. Ransomware has changed the game. A holistic approach to response is required. Organizations need to make the investment of time and money necessary to mitigate the risk to their patients as well as their future financial health before an incident happens.
About the Author: Jon Moore is senior vice president & chief risk officer at Clearwater. He is an experienced professional with a background in privacy and security law, technology and healthcare. During an eight-year tenure with PricewaterhouseCoopers (PwC), Moore served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. Among the major federal clients supported by Moore and his engagements are the National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Indian Health Service (IHS), Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF). Moore holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.