Benjamin Franklin was not likely talking about cybersecurity in the 21st century when he said, “If you fail to plan, you are planning to fail.” However, he did describe the state of healthcare around confidentiality, integrity and availability in 2018.
At this point, everyone in healthcare — from the registration desk to the Board of Directors — has seen the litany of reports and stories of security and privacy incidents ranging from an EMR outage to a ransomware attack. Everyone has seen the impacts, too, from disruption of clinical services to lost revenue, loss of trust, and damage to brand reputation. Finally, leaders at healthcare organizations, from physician practices to large multi-hospital systems, are starting to ask questions about how to deal with attacks or other cyber incidents.
Unfortunately, those questions may not help to ultimately solve the problem. Typically, the questions they ask are, “How do we protect ourselves and comply with all the regulations, and how do we keep from being the next headline?” The question they should be asking is, “How can we make good, rational decisions — both from a business and a clinical perspective given the risks we face?” Asking the wrong question will always result in getting the wrong answer.
Here’s a question people in healthcare should be asking, and how it might best be addressed: “Suppose we have a ransomware attack and can’t get to our data for an extended period, how do we keep things going?” Good question. Unfortunately, healthcare has historically looked to IT for the answer. IT should be able to clean up all the infected machines, update the installed protections, restore the data from backups, and have everything up and running. That won’t happen in a few hours or even a few days.
Relying on IT to fix the damage caused by ransomware also assumes that IT has the budget to run and test backups, separate them from the production network, and keep all the other network and system protections current, in place, and working. So, let’s say there is a budget in place for security and availability — because those systems and that data are actually how business is conducted today. Recovery from this kind of attack can take several months. Furthermore, it begs the real question, “How do we keep things going in the meantime?” When CEOs or CFOs ask that question, they aren’t really talking about the doctors’ computers. They want to know how they will keep admitting and seeing patients, placing orders, providing care, dropping charges, paying bills, and keeping the business of healthcare going. IT will likely not have all those answers.
No matter how prepared an organization is, bad cyber things are going to happen accidentally or intentionally. The best answer is to have an incident response plan. It should be an enterprise plan, no matter how small or large the enterprise is. IT can handle the information technology, but clinicians will need to determine how to provide care when core systems are down. Yes, IT can help with any technology around that plan, but no one wants their physical exam to be delivered by the Help Desk, no matter how good they are with Microsoft Word. The finance people should be engaged in the plan as well, since bills and payroll still need to be paid and charges will still need to be collected and processed.
It may not be an attacker that takes down networks and systems. Power can be cut off. Buildings can flood or be badly damaged in storms. There was a time that charting, orders, even billing was done on paper, so relocating was difficult, but it wasn’t necessary to restore computers, data, networks, and connectivity beyond the site of care. Today, healthcare is almost totally dependent on information technology to “keep the doors open.”
Healthcare does a great job practicing for emergency situations (bus crashes, chemical spills, even terrorist actions), but it does not practice for the cyber emergencies that are, honestly, much more likely to happen. It is time to start.
Organizations that don’t have an incident response plan need to develop a comprehensive, enterprise-wide plan. The response can’t just be an IT issue. If there is an incident response plan, organizations should review it regularly or have a third party review it and help assure that all the functions that could be impacted in a variety of incidents are covered. A plan, however, is only a document until it is tested. Organizations should run exercises using different scenarios that exercise all areas that may be impacted — clinical operations, facilities, legal, IT, HR and on and on. Incident response isn’t just for IT anymore.
David Finn is Executive Vice President of Strategic Innovation of CynergisTek.