Healthcare Under Attack: Building Resilience in the Face of an Aggressive Cyber Threat

Healthcare organizations are uniquely vulnerable to hackers and are subject to more than their share of cyberattacks. In today’s post, we’ll look at the measures hospitals and other facilities that care for patients can and should take to improve their resilience in the face of the rising threat.

Related on MHA Consulting: Be Ransomware Resilient: Know How to Operate Manually

A Healthcare System Under Attack

Last month, the U.S. medical infrastructure was subject to what the American Hospital Association called “the most significant and consequential cyberattack on the U.S. health care system in American history.”

A company called Change Healthcare, which is the largest electronic clearinghouse for medical insurance payments in the country, was struck by hackers who stole patient data and encrypted company files, demanding payment to unlock them. The organization was forced to shut down most of its networks, interrupting prescription payments and authorizations.

According to the hospital association, 74 percent of hospitals report direct impact on their patients as a result of the hack. A financial impact was reported by 94 percent of hospitals.

Currently, Change Healthcare and other affected organizations are scrambling to come up with manual workarounds for the impacted processes.

Meanwhile, the FBI reports that, out of 16 critical infrastructure sectors, the healthcare sector submitted the most complaints about ransomware attacks in 2023 (FBI Internet Crime Report 2023, p. 13).

Hackers consider the healthcare sector a juicy target because of the sensitivity of people’s personal health information and the unique vulnerability of organizations where an interruption in service can cost people their lives.

These events make this an ideal time to talk about the cyber threats healthcare organizations face and the steps they can take to be more resilient in the current challenging environment.

Two Types of Attacks

Looking at the issue of healthcare cybersecurity from the business continuity perspective, there are two types of attacks to consider: data breaches and ransomware attacks.

In a data breach, an attacker breaks into the system and steals data such as patient health or credit card data. The attacker will then attempt to monetize the data by ransoming it back to the victim, selling it to another criminal group, or exploiting it in some other way.

In a ransomware attack, hackers gain control of the organization’s systems, encrypt its data, and offer to (in a typical scenario) provide the key that will decrypt the data in exchange for a payment.

Let’s look at each of these types of attacks through the lens of how they might affect a healthcare organization.

Being Ready to Face a Data Breach

The following are some points to consider about data breaches at healthcare organizations:

• Organizations that suffer data breaches of Protected Health Information (PHI) regulated under the Health Insurance Portability and Accountability Act (HIPAA) can face severe legal and reputational consequences, including fines, penalties, and lawsuits.
• Data breaches generally do not affect day-to-day operations.
• Once the data is gone, it’s gone.
• Preventing data breaches is primarily the responsibility of the information security and IT departments.
• The business continuity (BC) office can contribute to the prevention effort by promoting good cyber hygiene through staff training and testing (and making sure consequences are imposed on promiscuous clickers).
• For the most part, the BC office’s role with regard to data breaches is helping making sure the organization is prepared to respond to one if it occurs.

The BC team’s work in making sure the organization is prepared for a data breach includes the following:

• Ensuring the overall crisis management plan addresses responding to a data breach.
• Developing a clear picture of what kind of sensitive data the organization possesses and where it is located.
• Ensuring that the needed advance coordination has taken place with relevant teams such as public relations, legal, insurance, and communications.
• Ensuring that advance scripts for responding publicly to a data breach have been drafted and approved.

Coping with a Ransomware Attack

With regard to ransomware attacks, BC practitioners at healthcare organizations should consider the following:

• From an operational standpoint, the impact of a successful ransomware attack is a partial or complete loss of the organization’s computer systems and network.
• The technical security measures needed to protect against ransomware attacks are the responsibility of other departments, but the BC office can contribute by making sure such measures are in place.
• The BC team can help by ensuring that any third-party plug-in utilities in use meet the organization’s security standards.
• The BC office’s primary role with regard to ransomware attacks is ensuring that the organization is prepared to carry out its mission-critical processes manually—for an extended period of time—in the event such an attack disables the network.
• “An extended period of time” means not a few hours but days or weeks.
• At modern healthcare organizations, data and requests are normally accessed and transmitted seamlessly among departments through electronic networks.
• In devising workarounds, the organization must come up with ways to perform the most mission-critical functions manually, without the aid of the network.
• The need to develop these workarounds is probably the most important thing we can talk about when it comes to healthcare and cyber events.
• In thinking about which workarounds are required, the BC office should consider all the departments that contribute to patient care—surgery, nursing, lab, imaging, supplies, environmental services, pharmacy, and so on—and devise manual substitutes for the mission-critical actions they normally perform through the network. This is not a single conversation, but requires thought and input from those who will perform the functions.
• Don’t forget payroll and critical finance functions (accounts payable and receivable), depending on the organization’s financial position.
• Manual workarounds typically involve paper, telephones, and lots of human runners.
• People who are unable to do their jobs because the system is down, and who are not critical to patient care, can make excellent runners.
• In devising workarounds, a good place to begin is the three or four systems whose failure would require the hospital to move patients to other facilities, such as the nurse call system.
• Keep in mind that for younger clinical staff, doing manual charting is likely to be a new experience.
• Don’t forget to work out a way for radiologists and other physicians to read images (since they do not typically do so at the imaging devices).
• Other things you’ll need workarounds for: managing patient inflow, ensuring the safety of child patients, tracking employee hours, and paying people

For most people, just thinking about devising the workarounds needed to keep a hospital functioning in the absence of the network is scary. This is not one of those things where you sit down and sort out in a few hours. It’s a huge job. Some organizations we know have made good progress by putting their other projects on hold and working on this steadily for a year.

One thing you don’t want to do is trust to working things out on the fly. As Change Health has discovered, that is a painful way to go—and they don’t even have front-line responsibility for patient health and safety.

Developing Robust Manual Workarounds

The recent ransomware attack on Change Healthcare highlights the grave threat cybercriminals pose for the healthcare sector. The two kinds of events healthcare organizations should be most concerned about are data breaches and ransomware attacks that render the organization’s computer systems unusable.

For the most part, responsibility for preventing such attacks lies outside the BC office. However, BC practitioners have a critical role to play in ensuring their organizations are prepared to respond to data breaches and to extended system outages. In this context, perhaps the most important thing BC offices can focus on is ensuring their organizations develop robust manual workarounds for their critical patient-care activities.

Further Reading

• Get Well Soon: 9 Ways to Make Hospital BCM Programs Healthier
• How Hospitals Can Heal Their BCM Programs
• Be Ransomware Resilient: Know How to Operate Manually
• How to Help Your Organization Get Through a Ransomware Attack
• “Pay Up or Else”: How to Be Ready for a Ransomware Attack