Cyber Attack Risk Assessment for Your Hospital Emergency Plan
If your hospital experiences a cyber attack, will you be prepared?
Most hospitals include cyber attacks as part of a risk assessment for the hospital emergency plan. The CMS Emergency Preparedness final rule requires an all-hazards risk assessment for all healthcare facilities including hospitals. As the first post in this hospital cyber preparedness series explains, a cyber attack is a probable hazard for most healthcare facilities, especially health systems and hospitals. In a report, 39 percent of healthcare organizations said they were hit daily or weekly by cyber attacks, and only 6 percent said they had never experienced one.
Many hospital emergency managers and IT personnel say that their organization conducts a cybersecurity risk assessment at least yearly—nearly 70 percent. Yet in many cases that risk assessment leads to a single line item that does not encompass the extent of the threat: neither the variety of threats nor the impacts they would have across the organization.
Historically, hospitals have focused emergency preparedness efforts on events such as workplace violence and severe weather. As a result, the dramatic increase in cyber attacks and hospital ransomware events has caught hospitals and other healthcare organizations off guard. What used to be a remote possibility has become a frequent occurrence. Now that the probability of cyber attack is much higher, hospitals and health systems should be thinking in terms of when, not if.
The impact of a cyber attack could be substantial. Yet among hospitals that have experienced a cyber attack, many report that they were unprepared for just how devastating it would be. Not only is the organization often locked out of its entire network, but the disaster lasts far longer than expected. As one hospital emergency manager said:
“The one thing that took the wind out of our sails was not so much the scope of what happened but the length of what happened. We operated in incident command mode for pretty much a month. This is not the typical disaster that a hospital faces ….. [The] magnitude and this duration are what sets this apart.”
Hospitals and other healthcare facilities cannot preserve the continuity of operations — for patient care and business operations — without understanding the extent of risk posed by cyber attacks. To prepare your organization, be sure to include the following factors in your risk assessment.
Identify your hospital’s cyber vulnerabilities
When it comes to cybersecurity, it’s often what you don’t know that can hurt you. For example, in the case of a data breach, many organizations don’t realize their data has been exposed until months after the initial attack. A joint IBM-Ponemon study found that the average time for a US company to identify a data breach was 197 days. In a ransomware attack, attackers make their presence known, but limiting the impact of the cyber attack requires having a clear picture of everything connected to your network. You will need visibility across your entire organization.
Gaining this visibility is a challenge for most businesses, and hospitals are no exception. Especially in larger health systems, major departments may operate independently, resulting in a proliferation of technology. A subject interviewed for an MIT cybersecurity study described the reality in many hospitals:
“In our environment, we have about 800 families of medical devices. Most organizations have two or three dozen SCADA systems…. That’s an astonishingly high number. There’s no counterpart to that in education or finance.”
Departmental silos can create significant cybersecurity risks if they keep potential network entry points hidden.
A cybersecurity vulnerability assessment will help you identify weak points in your defenses. More than half the time, organizations that experience a data breach say that the breach originated with a known vulnerability they had not patched. An evaluation of your network for security deficiencies—including patch, code, and configuration issues at the application, system, and network levels—can also help set priorities for closing gaps, based on the likelihood of specific threats.
It’s also critical to assess the organization’s vulnerability to social engineering, which is access to the network gained by human interactions. This includes on-location, phone attempts, and the most well-known method, phishing. An 18-month study found that 91 percent of cyberattacks start with phishing. The same study found that healthcare was among the industries with the highest response rates to these attempts.
Network attack simulation can help you discover where the gaps lie. Sometimes called red team testing, this form of vulnerability analysis can test the effectiveness of your security team at identifying and responding to threats. Simulated social engineering attacks may take the form of emails asking recipients to provide usernames and passwords, phone calls to IT and customer support posing as a customer or employee, and even attempts to gain on-site access to the network, depending on the risks your facility is most likely to face. Social engineering testing in a simulated attack can reveal how successful your current policies and training are at preventing access to sensitive information.
Recognize the scale of a cyber attack’s impact on hospital operations
Given the proliferation of healthcare technology, a hospital may be surprised by the number of disrupted patient care and business functions. A full cybersecurity risk assessment should take into account the potential consequences of an attack across several domains.
Given the cost of a data breach—an average $6.45 million for healthcare organizations—the exposure of Protected Health Information (PHI) will often rank high on the list of devastating impacts. While protecting patient data is an essential responsibility of healthcare organizations, equal attention should be given to issues that affect continuity of care and business operations.
The first blog post of this series, Cyber Attacks in Healthcare Emergency Management, identified some potential disruptions to patient care caused by losing access to the EMR or being unable to trust EMR data. In many hospitals, however, the EMR is just the most visible component of patient care that is dependent on technology. Depending on the services your organization provides, there are likely many others. A hospital administrator described the extent of his organization’s dependence on technology this way:
“Frankly, I don’t know that outside of IT we gave it enough due prior to [the attack], until we realized how truly dependent we were on the tech functions that go on in the background. The example that I use when explaining it to other folks is, we were unable to appropriately wash and sterilize endoscopes because of the malware attack. You wouldn’t think that somebody affecting the computer would keep you from being able to do a colonoscopy.”
In some health systems, pharmacy ordering and dispensing is dependent on the IT network. Hospitals with a pharmacy robot system would likely need to shut it down at least temporarily for IT to clean it out, even if they were not locked out by attackers. The loss of scheduling data or applications is another potential impact that could make preparing for hospital procedures virtually impossible.
Cyberattacks have the potential to be as catastrophic as a hurricane when it comes to the physical environment in a hospital or healthcare facility. Security systems, temperature control, and ventilation systems may be at risk in many facilities. Cybercriminals have targeted power grids, and water treatment systems could also become the objective of large-scale cyberattacks.
While hospitals typically have plans for evacuation, alternate power sources, and similar needs, those risks are not commonly associated with cyberattack emergency planning. Digital threats differ from damages caused by storms and should be evaluated separately.
Business operations are not the first thing most organizations think of in typical emergency management scenarios. Understandably, securing human safety and physical resources come first. In a cyberattack, however, business operations are highly vulnerable, for two key reasons:
- Unlike severe weather or pandemics, cyberattacks often intentionally impede the means through which business functions are conducted.
- A cyberattack is a long-term emergency management scenario, disrupting business functions for weeks and even months.
As the hospital emergency manager quoted above noted, the length of a cyber disruption is especially problematic. Following a cyber attack, the most frequently reported time offline is one week, although resuming normal operations can take up to six months. One hospital administrator surveyed reported that they could not bill out or accept payments for almost two months. That represents a tremendous amount of inaccessible revenue. At the same time, they were unable to process timekeeping and payroll information.
Basic business communications can also be a casualty of a cyber attack. As another hospital administrator reflected:
“No email whatsoever—imagine in today’s world, no email. It was devastating.”
Obstacles to accurate cybersecurity risk assessment in hospitals
There is a lot the healthcare industry doesn’t know about the risks, vulnerabilities, and impacts of cyberattacks. Although attacks are common, hospitals are often reluctant to share information about their experiences. Under current policies, attacks are required to be reported only when medical or financial information has been compromised. Because many ransomware attacks lock data away from users or encrypt it, rather than steal it or expose it, hospitals often choose not to report it. As a result, information about one of the most common forms of cyber attacks is lost.
It is understandable when organizations that have experienced attacks are hesitant to report. Being branded as a victim in the news media may seem like a risk to reputation or revenue. However, the lack of reliable reporting on the frequency and impact of ransomware means that hospitals and other healthcare facilities are conducting risk assessments in the dark. Hospital administrators and IT representatives who have shared their cyber attack stories say that they were willing to do so because they believe sharing information will lead to better emergency preparedness for everyone.
One way to share information is the creation of a public data repository for cyberattacks, similar to the US Department of Health and Human Services Data Breach Portal. A public data source would allow any individual to access information on the size, location, and impact of past healthcare cyber attacks. Hospitals and health systems could then use that information to assess cyber attack risks realistically and develop effective protections. A more robust reporting requirement, one that closes the ransomware loophole, would make this database highly useful in the fight against cyberthreats.
Whatever the solution, it’s essential that more healthcare leaders participate in this conversation. Not only will the discussion help organizations understand their risk better, but it will help reduce overall risks to the healthcare system. As the MIT cybersecurity study concluded:
“On a macro level, the cyber vulnerability of a country’s hospital infrastructure is affected by the vulnerabilities of all the individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable—a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals.”
In the meantime, hospitals and health systems should perform risk assessments to the best of their capabilities, then use the findings to guide inclusion of cybersecurity mitigation and response in their hospital continuity of operations plan (COOP) and emergency preparedness program.
Learn more in the next blog post in this series, which covers specific steps to take for the prevention and mitigation of cyberattacks in hospitals and healthcare organizations.
LiveProcess Emergency Manager is a proven system for emergency preparedness planning, mass notification and mobilization, real-time coordination and tracking. Hospitals and health systems, ambulatory centers, skilled nursing facilities, long-term care organizations, home health agencies, and public agencies use Emergency Manager to prepare for and respond to disaster events and for everyday disruptions.
More resources for cyber attack emergency management resources in hospitals and healthcare
How a hospital used LiveProcess to provide continuity of services during a ransomware attack.
Learn about all-hazards risk assessment.
Get our white paper about continuity of operations planning in healthcare.
Explore resources for hospital emergency preparedness.