One common denominator in the healthcare cybersecurity gap across clinics and hospitals, rural or urban, is the need to make a fundamental change in the approach to cybersecurity if they want to be more effective in today’s dynamic and dangerous cyber climate.
Cybercrime needs to be treated like the worst case scenario. When your teams are triaging a catastrophic event, say a fire or a tornado, what are they doing before the victims come into the ER or clinic?
Are they sitting around thinking that all they’ll need are a few bandages from a jar on the shelf? Probably they’re mentally and physically preparing themselves for maybe a really long shift that will consume their complete attention at every last moment.
They are certainly preparing for the worst at very least. This is where cybersecurity approaches need to go. Prepare for the worst case situations. Everyone on your team should understand what that means. Everyone needs to see and feel—even if it’s through stories or practice drills—everyone needs to have experienced what a cyberattack is. Only then will they understand where a click might take them and your facility.
We always start our discussions with hospital and clinic CEOs preparing them for the worst case situation because that situation is the one we are working day in night to prevent. If you and your staff are prepared to confront the most devastating security breach or attack, then you are equipped to handle the lesser attacks that fall in between with a clearer head.
Industry research indicates that as is today, hospitals and clinics are ill-prepared to deal with an event—even a small attack. We previously mentioned that nearly 83% of CEOs have nothing on reserve to cover the expenses of a cyberattack. And to add insult to injury, the majority of cyber insurance policies will not cover the majority of attacks hitting facilities today. Either claiming an act of war (nation state attackers are not covered under their policies even though they represent a huge chunk of attacks) or that your facility claimed they had more security in place than they actually do (in our ransomware vulnerability assessments we can tell you whether you are abiding by the security expectations of your insurance policy’s contract).
What our findings, having assessed nearly 20 facilities in any given month, is that clinics and hospitals, alike, lack a proper plan outlining how they will react in case of a cyberattack (we’ve found this number alarmingly close to 65%!). We’ve also found that 49% of facilities don’t even have a cybersecurity strategy in place at all! In a recent survey, nearly 35% of clinics and hospitals didn’t even have an incident response plan to deal with cyberattacks (even though we all know these attacks are happening right now on facilities just like yours).
These statistics show that many are simply relying on their teams to improvise if something were to happen. How well do you think people act in crisis mode when given nothing else than the fact that their computer networks are completely shut down? That their EHR system locked your entire staff out of their systems? How well can your IT or compliance teams deal with all of the chaos plaguing your facility with no plan.
When your local hospital deals with a crisis situation—say a major car accident that brings ten people into the ER—do they have protocols in place to assess who is in most need for the most critical care? Who might need to be airlifted to a facility with more sophisticated equipment or expertise? Do they have check lists to make sure the ER staff working in such an intense situation do everything necessary and possible to give the most comprehensive care possible? I’m sure you’re nodding your head to these questions or at least thinking a ‘yes’ answer.
So, why not have the same for a cybersecurity crisis? Where every piece of data—medication history, treatment regimes, medical records, billing—just to name a few things affected—can continue to operate if not at full steam, at least in a critical mode to keep your hospital working and effectively treating patients.
Failing to properly deal with a cybersecurity incident might mean shuttering your doors and even worse, risking patient lives. Your organization’s prospects of survival after a major security breach or attack are dismal—53% of facilities stop being profitable within one month and only a third are able to keep their lights on 3 months post-attack.
Even under these conditions, there is one thing healthcare facilities could drastically improve a clinic or hospital’s ability to survive an attack. It’s the same thing that can keep you from losing your house during a flood: a relevant insurance policy. But as I mentioned earlier, simply having a policy is NOT good enough. You need to ensure that you’re following the guidelines outlined in your policy for security standards. If there is even a hint of non-compliance by your facility—realize that insurance companies will take very effort to disprove the validity of your claim. They will sweep your facility with a fine toothed comb before handing over a check. You might be up a creek without a paddle if you haven’t heeded their security standards.
And on top all else, how likely do you think the insurance company will reimburse you for everything? Lost procedures due to a shuttered facility—note that ransomware remediation takes about 3 weeks to complete in a small rural hospital. How much losses will you have simply because your people cannot work? Will you continue to pay them during your downtime? I’m sure you’ll be torn. To learn that the cyber policy might only give you pennies on the dollar of expenses and losses incurred during your cyber incident will dishearten anyone. Let me repeat what I said earlier—there is no silver bullet. A policy is not going to completely protect you. Neither is shiny technology. This epidemic of cyberattacks is not going away because governments have no real way of shutting it down easily—trust me, they’ve tried again and again. And every single time bad guys are getting into networks and causing enough damage to shutter facilities and ruin entire communities. There is no easy way to address everything that’s happening in cyberspace with your head buried deep in the sand.
If this discussion so far has left you disheartened with a bad taste in your mouth (and maybe a realization that your mouth tastes a little sandy), make sure you keep reading ahead for a guide improve your cybersecurity disaster preparedness, involving data backups, cybersecurity insurance, continuity planning and disaster recovery.
You will also get the secrets to outsourcing security to cybersecurity experts (as long as you persevere to the end of the book). How you can afford hiring an expert chief security officer and team of vigilant security experts at pennies on the dollar for an expert team with skills of the likes of the Department of Defense or FBI.