It’s heartbreaking, frightening and infuriating to realize that with a stroke of an enter key a hacker thousands of miles away can shut down access to critical care. And it’s not a question of “IF”, but only a question of “WHEN” this will affect your organization.
So what must healthcare leaders direct the organization to do to prepare for ransomware attacks?
The Sober Reality
At best, a ransomware attack is scary, frustrating, embarrassing and infuriating at the same time. As we understand by now, it only takes one malicious email and one inadvertent click to shut down the mission-critical IT systems of a whole health system.
It’s scary, since the extent to which the attackers have control over the systems is initially unknown. And it’s very frustrating for staff to experience how dependent we’ve become on technology and how helpless we are without it.
A cyberattack is embarrassing, because despite the precautions taken, it still happened and the media and regulators only see the impact and not the result of the many preventative measures that did work.
And finally it’s infuriating because healthcare is in the business of saving lives and helping people and with the attack, the hackers are showing an utter disregard for human decency.
At worst, however, people’s lives are harmed. While in the US reports of patient harm are hard to come by, in one case earlier this year in Germany a patient reportedly died after having to be rerouted to a different emergency room after a health system was hacked.
3 Must-Dos to Prepare
The best strategy to prepare for a cyberattack is obviously to minimize the chances of it occurring. But it’s often a cat and mouse between IT staff’s vigilance and the hackers’ creativity, especially since the majority of breaches start with social engineering through malicious links and innocuous-looking forms.
What we propose is a 3-pronged approach that addresses not only the technology (who has not grown tired of the endless warnings that “this email did not originate from within your organization”?), but also puts in place viable processes and procedures to ensure that care can continue when systems are down.
What all three actions have in common is that it’s not just about process or planning but about changing the culture, by creating a system that gets the results we want, which is continuous vigilance.
ACTION 1: Continuous Technical Vigilance
While by now many health IT organizations have implemented counter measures (warnings on links in email, updated virus scanning, etc.) it is the lack of periodic reviews and updates that over time can create vulnerabilities.
In order to stay on top of the increasingly sophisticated attacks, we strongly recommend the engagement of an outside firm to provide an initial and periodic assessments of potential vulnerabilities on a weekly, bi-weekly, monthly, and quarterly basis.
The key here is that this is not a one time or annual process, but an ongoing activity that must be data driven (e.g., measuring and analyzing the trends of averted attacks, “near misses”, etc.)
ACTION 2: Business Continuity Planning
What is important to realize is that it is these days not a question of whether your organization will be attacked, but rather when. From a hacker’s perspective, any email of any employee of any organization is fair game, regardless of industry, location, or size.
Business Continuity Planning has been around for decades and for scenarios of massive outages, floods, hurricanes, mass casualties, and other “acts of gods” most organizations have good contingency plans in place (for the most part). In most contingency scenarios, however, access to the technology infrastructure and systems is often assumed as still being possible.
Thus a Business Continuity Plan for a vast system outage needs to look at non-digital work arounds, such as paper documentation, as well as new “rules of patient care” (like the ones that were initiated during the Covid-19 crisis, such as merely checking in with patients and providing refills).
Best practices are often best identified by the organization’s staff; however, an outside expert with experience in developing work arounds for systems outage can provide new, non-obvious ideas, jump-start the process and provide facilitation and drive to bring the project to completion.
Similar to technical vigilance, Business Continuity Plans need to be periodically reviewed and updated, at least quarterly, as new systems are implemented.
ACTION 3: Culture Change
What is truly needed though, as the most effective front line defense, is a cultural change in the awareness around protecting sensitive data and the risks of “digital behaviors”.
While oftentimes training for new employee covers these areas, training for cybersecurity is seldom administered more than once a year.
On average, in the US, when an EHR goes down due to cyber attack, it is down for 15 days. That means 15 days of subpar medical care, 15 days of significantly reduced volume and thus, revenue and profits. A small health system with $365M revenue could lose up to $1M in revenue a day if they have to completely shut down.
It, therefore, has to be blatantly obvious to staff, leadership, interns, temps and contractors, that “one click could cost you $15M”. Most staff “assume” that safeguards and measures are in place, or that “surfing in an incognito browser” will save them from being “hacked”. People’s lack of insight as to the inner workings of technology is one of the biggest current vulnerabilities.
Finally, it’s not just a one-time education that is needed, but a periodic, frequent illustration and demonstration of the dangers, e.g., using news reports on similar organizations’ plight with ransomware attacks.
Leadership and Accountability
We are living in unprecedented times and cyberattacks are on the rise and will continue to increase for years to come, especially with the increase of telework. One would hope that criminals would stop short of impacting those who serve others in need, but when your computer is one or two oceans away, the email address and IP address and network login password are just simple data points (not sick patients in beds).
What is needed to make this — mostly cultural — shift happen, is clear leadership and continuous accountability. The ultimate responsibility lies with the CEO and it is the accountability to see proof of the periodic or continuous attention across all 3 actions, that will best protect the organization for years to come.
Telehealth Tuesday Inquiry: What has your organization put in place to defend against cyber-attacks? What periodic processes have you put in place to stay vigilant?
Let me know in the comments below or send me a note using the information below.
Christian Milaster optimizes Telehealth Services for health systems and physician practices as Interim Telehealth Program Director. Christian is the Founder and President of Ingenium Digital Health Advisors where he and his expert consortium partner with healthcare leaders to enable the delivery of extraordinary care.
Contact Christian by phone or text at 657-464-3648, via email, or video chat.