Editor’s note: This article includes insights from Healthcare Dive’s recent live event, “How healthcare can prepare for cyberattacks.” You can watch the full event here.
Healthcare has never been more vulnerable to cyberattacks. A transition to digital medicine, utilization of electronic health records and an explosion of threat actors has made the sector ripe for attacks.
Cyberattacks don’t only take down online systems, they can also threaten patient care. As cyberattacks rise, hospitals must prepare for the worst, or risk compromising patient health and data. And, in addition to protecting patients, providers must ensure they’re complying with differing state and federal cybersecurity regulations, experts said during an event hosted by Healthcare Dive on Nov. 5.
They must face all this while navigating historic financial challenges in the sector, including low margins, federal spending cuts and high workforce turnover.
Here are four tips from experts on how hospital leaders can prepare for cyberattacks and what to consider when developing cyber plans.
Invest in recovery, not just prevention
While hospitals may not want to think worst-case scenarios, they should invest as much in recovering from cyberattacks as they do in preventing them.
Providers should focus on continuity plans for patient care and practice what it would look like to operate in “downtime,” or when internet systems are taken offline by cyberattackers, according to William Scandrett, chief information security officer at health system Allina Health.
“We have to spend as much time on recovery and operating in downtime as we do in prevention,” Scandrett said. “It’s like buying insurance. It’s really expensive … and if something bad happens, we’re really glad we had it.”
Hospitals should prioritize operations that must be recovered first, like those with life-or-death impacts on patient care. Prioritizing what to recover first in the event of a cyberattack allows organizations to get on the same page, and it can focus attention on mission critical areas, according to Heather Costa, director of technology resilience at the Mayo Clinic.
It also helps systems prioritize investments in the face of limited cyber budgets.
“You have to know what’s most important first, and that has to be aligned to the clinical and business needs,” Costa said.
Drill, drill, drill
Cyberattack response and preparation plans should be extensive and updated often. One of the best ways to ensure each organization has a prepared incidence response plan is to focus on training exercises, according to Joshua Justice, cyber threat intelligence manager at Health-ISAC.
Tabletop exercises, or discussion-based simulations, are one way to practice responding to a cyberattack, and it gives healthcare leaders insight into how each section of a hospital will respond. For example, IT teams, legal teams and administrative teams may have different responsibilities during a cyberattack.
Tabletop exercises allow each team to work out kinks in their response plan, and allow hospitals to develop contingencies that are holistic.
“One of the biggest mistakes that I see a lot of our clients make, especially when we first engage with them, is they think incident response is a linear process. It’s not, it’s a matrix process,” said Barry Mathis, managing principal of IT advisory consulting at PYA. “… the plan has to be multifaceted.”
Exercises also allow practitioners to demo how to document care on paper in downtime, or how to perform certain workflows or patient tasks without internet or the help of a computer.
Hospitals must get creative about these exercises and implement them sooner rather than later, or risk millions in recovery costs.
“If you’re sitting there listening to us talk about this and you’ve never practiced, now is a good time to start,” Mathis said.
Assessing risks from vendors
One of the biggest risks to healthcare organizations comes not from direct cyberattacks, but from threats to third-party vendors. As the sector has become more digital, hospitals increasingly contract with outside organizations for claims processing, remote patient monitoring, electronic health records and other workflows.
The interconnectedness can open the door to cyber threats, and an attack at a third-party vendor can compromise providers.
Organizations should conduct cyber due diligence on their vendors before contracting with them. Sanjeev Sah, SVP of enterprise technology services and CISO at Novant Health, said the health system looks at multiple potential vendors and scores them based on their operations and past incidents.
“What is their mechanism for monitoring? How do they ensure that their security practices are sound? We look at all of these elements before we engage with the partner,” Sah said.
Vetting vendors is particularly important in the age of artificial intelligence. New companies seem to be created “out of the blue,” but providers need to ensure they’re still carefully vetting these companies, according to Allina’s Scandrett.
Navigating differing regulations
In addition to managing the fallout from a cyberattack, hospitals must also navigate state and federal regulations for reporting and data security. Providers must ensure they’re complying with federal law — mainly from the Health Insurance Portability and Accountability Act — but also state regulations.
Hospitals need to make sure they’re on top of their reporting requirements, or risk falling behind after a cyber attack, said Pavel Slavin, CISO of Endeavor Health.
“It complicates quite a bit … even if we deal with federal government or state governments, there are certain expectations that are set on you as an organization, how you interact with certain companies, certain organizations,” Slavin said. “So you do need to create something that’s manageable.”
Healthcare organizations may also need to contend with additional regulations from vendors. Contracts between vendors and organizations may mean hospitals need to report cyberattacks earlier than they need to report them to regulators.
Still, providers need to ensure that their organization is protected from cyberattacks, beyond the bare minimum that regulations mandate.
“I think one of the most common things that everybody gets wrong, is that they think compliance is security, or security is compliance,” Slavin said. “They’re not synonymous.”
