A common denominator in the healthcare cybersecurity gap across clinics and hospitals, rural or urban, is the need to make a fundamental change in the approach to cybersecurity if they want to be more effective in today’s dynamic and dangerous cyber climate.
Cybercrime needs to be treated like the worst case scenario. When your teams are triaging a catastrophic event, say a fire or a tornado, what are they doing before the victims come into the ER or clinic?
Are they sitting around thinking that all they’ll need are a few bandages from a jar on the shelf? Probably they’re mentally and physically preparing themselves for a long shift that will consume their complete attention at every moment.
They are certainly preparing for the worst at very least. This is where cybersecurity approaches need to go. Prepare for worst case scenario. Everyone on your team should understand what that means. Everyone needs to see and feel—even if it’s through stories or practice drills—the experience what a cyberattack is. Only then will they understand where a click might take them and your facility.
We always start our discussions with hospital and clinic CEOs preparing them for the worst case scenario because that is the one we are working day and night to prevent. If you and your staff are prepared to confront the most devastating security breach or attack, then you are equipped to handle the lesser attacks that fall in between with a clearer head.
Industry research indicates that as of today, hospitals and clinics are not prepared to deal with even a small cybersecurity event. Nearly 83% of CEOs have nothing on reserve to cover the expenses of a cyberattack.
And to add to insult to injury, the majority of cyber insurance policies will not cover the majority of attacks hitting facilities today. Either claiming an act-of-war (nation state attackers are not covered under their policies even though they represent a huge chunk of attacks) or that your facility claimed they had more security in place than they actually do (in our ransomware vulnerability assessments, we can tell you whether you are abiding by the security expectations of your insurance policy’s contract).
Our findings, from assessing nearly 20 facilities in any given month, show that clinics and hospitals lack a proper plan outlining how they will react in case of a cyberattack (we’ve found this number alarmingly close to 65%!).
We’ve found that 49% of facilities don’t even have a cybersecurity strategy in place at all. In a recent survey, nearly 35% of clinics and hospitals didn’t even have an incident response plan to deal with cyberattacks (even though we all know these attacks are happening right now to facilities just like yours).
These statistics show that many organizations simply rely on their teams to improvise if something were to happen.
How well do you think people act in crisis mode when given nothing else than the fact that their computer networks are completely shut down? Their EHR system locked your entire staff out of their systems? How well can your IT or compliance teams deal with all of the chaos plaguing your facility without a plan?
When the local hospital deals with a crisis situation—say a major car accident that brings ten people into the ER—do they have protocols in place to assess who is in most need for the most critical care? Who might need to be airlifted to a facility with more sophisticated equipment or expertise?
Do they have check lists to make sure the ER staff working in such an intense situation do everything necessary and possible to give the most comprehensive care possible? I’m sure you’re nodding your head to these questions or at least thinking ‘yes’.
So, why not have the same for a cybersecurity crisis? Where every piece of data—medication history, treatment regimens, medical records, billing (just to name a few things that could be affected)—can continue to operate, if not at full steam, at least in a critical mode to keep your hospital working and effectively treating patients.
Failing to properly deal with a cybersecurity incident might mean shutting your doors or, even worse, risking patient lives. Your organization’s prospects of survival after a major security breach or attack are dismal: 53% of facilities stop being profitable within one month, and only a third are able to keep their lights on 3 months post-attack.
Even under these conditions, there is one thing healthcare facilities could do to drastically improve a clinic or hospital’s ability to survive an attack. It’s the same thing that can keep you from losing your house during a flood: a relevant insurance policy.
But as I mentioned earlier, simply having a policy is NOT good enough. You need to ensure that you’re following the guidelines outlined in your policy for security standards. If there is even a hint of non-compliance by your facility—realize that insurance companies will expend a lot of effort to disprove the validity of your claim. They will sweep your facility with a fine-toothed comb before handing over a check. You might be up a creek without a paddle if you haven’t complied with their security standards.