Maintain Situational Awareness for Continuity of Operations During a Hospital Cyber Attack

by | Feb 4, 2020


Cyber attacks are becoming more frequent and more costly. Accenture estimated that between 2015 and 2020, cyber attacks would cost US health systems $305 billion in revenue and affect 1 in 13 patients. A single cyber attack can be a multi-million-dollar expense.

One takeaway for healthcare organizations: increased spending on cybersecurity is inevitable. Organizations should invest in both hardening their defenses against cyber attacks and ensuring situational awareness and preparedness procedures are in place for an effective business response. Every facility’s cybersecurity program will be different but should consider some key areas.

Steps to prevent or mitigate hospital cyber attacks

First things first: most hospitals and health systems need to invest in stronger and safer IT infrastructures. The obstacles are significant: lack of available funding, limited number of cybersecurity professionals, and the rapid rate of change in both healthcare information technology and the corporate structure of healthcare organizations. Nevertheless, as healthcare IT infrastructure ages, failing to upgrade could have disastrous consequences.

More actions to reduce the likelihood or severity of a cyber attack include:

Limiting network access

Too often, once an attacker has gained administrator access, they can go anywhere in the network. Some hospitals have begun to structure their networks so that penetration through one barrier or into one area does not mean gaining access to all areas. Creating different tiers of security allows organizations to provide additional protection to the most sensitive information. For example, at the most secure tier, data might be accessible only to someone who has both the correct permissions and is on the premises. The next tier would contain EMR and clinical data that could be accessed remotely only through heightened security measures, such as two-factor authentication. Less sensitive data could be accessed with fewer restrictions.

Access can also be limited by roles, using categories such as department, title, facility, and other attributes. 

Reducing duplicate applications

Duplicative technology can happen for many reasons. After a merger, it may take time to integrate the data and technology of two or more business entities. Software may be upgraded in some areas but not others, especially if old hardware is still in use selectively. In larger organizations, departments may make purchases independently.

A Gartner analysis of health IT usage estimated that “healthcare provider CIOs have technology portfolios typically running into the range of 300 to 450 applications, and technologies used by the [Healthcare Delivery Organization], with many that are obsolete, overlap with others and have small user populations.” A cybersecurity risk assessment that aims for visibility across your organization should identify these instances. Streamlining technology usage will simplify IT efforts to ensure that everything is safe and protected.

What about cybersecurity training?

Among organizations that fall victim to ransomware and other cyber-attacks, phishing is one of the most common entry points. That makes training essential. However, while increasing staff training on best practices to prevent credential theft is a logical response, it falls far short. Only one person needs to make one mistake for a phishing expedition to be successful. No training program can beat the odds of one person out of hundreds, or even thousands, making one costly error.

Keep in mind that your staff are not the only people accessing the internet while within your facility. Patients, their family and friends, and vendors arrive with mobile phones, tablets, and laptop computers. Patients are often connected to networked medical devices that provide another access point, one that is not always well controlled.

Free samples of medical equipment are sometimes offered directly to clinicians by device manufacturers, which bypasses management and IT vetting. According to a hospital executive interviewed for a recent MIT study:

“There’s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free, and then a year later we get a bill for it. That’s a unique quality of working in a hospital.”

In short, while training staff on cybersecurity best practices is essential, it is just one part of an overall cybersecurity strategy.

Plan to Maintain Continuity of Operations in a Cyber attack

Cyber-specific plans for emergency operations (EOP) and continuity of operations (COOP) should be part of your emergency preparedness plans. Yet in a recent survey of emergency managers and IT professionals, barely 10 percent of respondents had a continuity of operations plan (COOP) that could be used for a cyber attack. Though each facility will have different needs, the following are some essentials:

Maintain pervasive organization-wide situational awareness

Coordinating an effective response depends on understanding how a situation is evolving and the roles played by responders. A cyber attack scenario is likely to evolve quite differently from other emergencies and involve different personnel. The Center for Disaster Medicine noted that a Hospital Incident Command System (HICS) and IT leadership can operate in siloes during a major downtime event, with “clinical/operational information and actions managed within the HICS structure, but IT information and decision-making being managed within a parallel system.”8

Solutions such as a cyber-specific incident command structure can help individual responders harmonize their activities. Other healthcare organizations have created a secondary IT-specific incident command team (ICT) with a broad base of IT professionals. This ICT has an open conference line to the main hospital command center, which focuses on administration and patient care.

Prepare for downtime

Most healthcare organizations have contingency plans for EMR downtime, which are required under HIPAA. Nevertheless, when a cyber attack leads to long-term downtime, many hospitals feel unprepared for the scale and breadth of the impact. A cybersecurity risk assessment can help identify all of the capabilities that could be lost, all at once, ranging from data protection to patient care, facility operations, and business operations.

At least for a time, most facilities must revert to pen and paper records for everything from patient charting and medication orders to laboratory results, radiology results, and employee timekeeping. Don’t underestimate the challenge this could present. Younger staff may have little to no familiarity with working on paper. In those cases, veteran staff can be helpful mentors. As one IT stakeholder at an attacked hospital explained,

“Some of the employees that had worked in healthcare long before we had the electronic arena … were able to help many of the team members who had basically grown up with electronic [health records]…. They were able to show them there are other ways you can do the same thing.”

Provide backup communication and documentation

A backup communication system is an essential part of hospital emergency management, but it is especially critical for cyber attacks, when hospital communication through normal channels could make things worse. An alternative method for hospital communication should provide most or all of the following:

    • Quick mass notifications: An instantaneous message to the entire organization via an alternate channel can stop people from turning on computers and prevent the spread of a virus.
    • Reach within and beyond your facility: Connecting with people offsite and across departments will be key to situational awareness and response coordination.
    • Offline document and database storage: Searchable emergency contact information, downtime procedures, and other necessities could be unavailable on your network. While paper copies are useful, an alternate electronic method of retrieval will make them more widely accessible.

For example, one of our customers was able to keep employees, contractors, and hospital leaders connected using their mobile devices and home computers during a ransomware attack. The hospital initiated its emergency management plan including a shared event log and a virtual situation center to communicate during the event and used mass notification and response for regular full-staff updates.

Creating a Culture of Cybersecurity Awareness

For most hospital staff, cybersecurity is not on the list of their job functions. As a result, actions or processes that take time away from the tasks of caregiving and hospital administration may not be welcomed warmly. We know that when clinicians believe logging into a particular device or portal will delay the provision of care, they will cut corners with the technology rather than do something they fear might shortchange a patient.

Providing education on the importance of cybersecurity is a first step. Showing clinicians how patient care would be interrupted or endangered may be more motivating than emphasis on HIPAA rules. Some hospitals use new staff orientation as an opportunity to provide guidance on safe cybersecurity practices. In addition to teaching staff to recognize suspicious requests for information or interaction, organizations should encourage rapid reporting. Notifying IT allows the organization to put the whole organization on alert to block further attempts.

Drills and exercises specifically targeted for cybersecurity prevention and response will build awareness and develop fluency with processes. For example, hospitals can run phishing drills, sending a mock phishing email to test how many staff members will click on a suspect link. Susceptibility to phishing email drops by nearly 20 percent after a single failed simulation, so improvement is possible. Those who responded to the phishing email can receive continued education on the need to be cautious when clicking links or opening attachments.

Cyberthreats are among the hazards named in the CMS emergency preparedness rule, making a cyber attack drill suitable for the testing exercises required for compliance. Through either a tabletop or full-scale exercise, staff can gain further comfort and speed with both initial mitigation actions and procedures for continuity of operations.

Prioritizing resources for cybersecurity

The ROI for cybersecurity is high. Investments in cybersecurity reduce revenue loss and lower recovery expenses that could easily total in the millions.

While the first hospital ransomware attack netted $17,000, ransom payments are shooting up. In June 2019, an Ohio urology practice reported that they paid $75,000 in ransom. That same month, the city of Riviera Beach, Florida, paid $600,000 after criminals encrypted their records and disabled email and phone systems. Given the increasing popularity of healthcare as a target, it’s reasonable to expect hospitals to face growing ransom demands.

Still, the ransom is likely not the most expensive element of the event. A Coveware analysis concluded that downtime costs are typically 5 to 10 times the actual ransom amount. If a cyber attack leads to a data breach, that creates other costs, such as HIPAA penalties and possibly patient claims. A 2019 IBM study found that lost business was the largest of the major cost categories contributing to the total cost of a data breach. That cost persisted for multiple years after the breach. The study also found that healthcare organizations had more difficulty than other industries in retaining customers after a breach—nearly twice the average turnover experienced after a data breach among all sectors.

In short, the facts make a strong business case for investments in cybersecurity preparation, including both preventative measures and effective response procedures. With patient safety and the environment of care at risk, the time has come to prioritize healthcare cyber attack readiness.

Our solutions

LiveProcess Emergency Manager is a proven system for emergency preparedness planning, mass notification and mobilization, real-time coordination and tracking. Hospitals and health systems, ambulatory centers, skilled nursing facilities, long-term care organizations, home health agencies, and public agencies use Emergency Manager to prepare for and respond to disaster events and for everyday disruptions.

All LiveProcess solutions support pervasive situational awareness in hospitals every day and during disruptive events.

lauren-branch-100x100Lauren Branch, Senior Analyst, LiveProcess, completed her doctoral research on the risk and impact of cyberattacks against healthcare organizations. She also has experience as a hospital emergency management planner and served on a command team that responded to a malware attack.