888-530-9596

Building Your Hospital’s Cybersecurity Response Plan

cyber-response

I’m not going to sugar coat this. Being hit by a cyberattack is going to be painful. Painful enough that team members might quit, others might break down in bouts of sobbing—mainly because no one can get work done, which becomes a BIG deal when you’re working in a hospital setting.

We’ve had to remediate hospitals from ransomware and I can tell you this—none of them would wish this on their enemies. It’s just too painful to even have to revisit (many still have PTSD from their experiences having their entire networks down—including their EHR system—and no way to effectively treat patients whose medical records are nowadays electronically stored.

When it comes to cyberattacks on rural hospitals, there’s no debating the facts: attacks are getting more sophisticated, frequent, widespread and costlier than ever.

In 2015, the costs of from cyberattacks in the US were nearing the trillion dollar mark. By 2021, that number is expected to double. In effect, cybercrime has become the most lucrative criminal profession worldwide. More criminals are moving towards attacking US healthcare because they know healthcare data is valuable. Rural healthcare is particularly vulnerable because it’s hard to find the number of qualified IT Security professionals ready and willing to protect hospitals and clinics in these areas (you are becoming the low hanging fruit to cybercriminal attacks).

And there are some very smart leaders in rural hospitals that simply don’t understand that cyberattacks are a possibility. Their expertise lies in keeping the lights running, the doctors happy, and the community well-cared for. They have to make tough decisions about budgets and need to weigh the real threats risking their hospital operations vs idle threats that may never materialize.

I certainly understand these considerations. I grew up in rural Michigan where at times where my family had to make hard choices as to what we really needed (warm clothes and food on the table) vs things that might be nice to have, but not necessary right now (a new pair of skis). You might be thinking that having well-oiled IT systems and cybersecurity are things that would be nice to have—and frankly, 10 or 15 years ago, I would be forced to agree with you.

But in today’s climate, cyberattacks are not just a possibility—they are an inevitability. And yet, even in a climate where IT Directors are aware of their penalties to HIPAA and that threats are out there, it is a real hard business case to make to the board of the hospital to spend hard earned community money on things that hard to tangibly see and to prepare for incidents that may have happened in a half dozen hospitals the past month, but haven’t struck yours yet.

Having well-protected hospital infrastructure with requisite safeguards is vital—not just in technology but in people and process.

When a cyberattack (heaven forbid) strikes your hospital, how will your hospital’s staff handle the incident and the fallout that most definitely will pursue? In this type of situation, every second counts. Previous preparation may mean the difference between life (continued treatment of patients) and death (hospital-wide paralysis because no one is equipped to deal with the attack).

Today, I want to walk you through a few mistakes others have made to help you focus on areas of improvement with your own response plan. Note: responses are inherently reactive. The best way to maintain your community’s trust in you and your hospital system is by preventing cyberattacks in the first place (consider a ransomware vulnerability assessment to learn about your security health).

But in the event that a ransomware attack does strike, being prepared will make a huge difference.

Here are 7 mistakes to learn from when implementing and testing your response plan:

Too much time denying—once an incident occurs and is detected by your IT Support, every second counts. Many hospital IT teams would err on ignoring these events as false-positives than act on an event as if it could be threatening your entire network. This state of denial almost always backfires by fracturing patient and staff trust in your hospital. You’ll also lose very precious time that could have been spend on implementing your response in the process.

Unstructured chain of command—getting hacked is definitely embarrassing. Most hospitals that project competence elsewhere in their organizations—especially in patient care—often lack direct chains of command in the specific situation of a cyberattack or network crisis.

Lack of foresight—a lack of foresight can manifest in acting too hastily when in crisis mode. You will likely overcorrect or implement fixes that actually create new problems. You cannot predict every single event that may happen to your hospital, that’s for certain. But you can agree ahead of time with your leadership on how to respond to different types of events and have a clear path forward in case something were to happen. This helps eliminate making emotional decisions that may lead to bigger crises down the road.

Have some incident response plan best practices in mind—for hospitals, having a comprehensive strategy laid out to respond to different types of incidents—including cyberattacks—will be the single most important step to mitigate the fallout of the attack. The best practices you’ll want to follow well in advance (aka start planning now!) will be designing, testing and implementing your response plan.

Get buy in from key stakeholders—a security breach will affect every single person in your hospital. Making sure you have cross-departmental support and buy-in is critical to a recovery. HR leaders, compliance, Operations, legal, vendor management, all need to be at the table to help forge a response effort that will avoid further disaster.

Clearly delineate roles—once you have your stakeholders in the room, you need to clearly layout their specific responsibilities in the event of an attack. Maybe HR is responsible for all internal communications, maybe the Administrator is responsible for all external communication. Legal will review any regulatory implications, IT will familiarize themselves with the backend work to remediate the virus. Specifying the roles you will need and the specific tasks you will need different stakeholders to take will prevent confusion that often ensues in hospital cyberattacks.

Tailor your tabletop exercises—practice makes perfect. There’s no going around this one. If your surgeon was doing his or her first surgery ever with a patient on the table, would they be successful? Likely not very. Same goes for a cyberattack. If you haven’t prepared your team for such attacks—by practicing your response plan, your first run effort when an attack hits likely won’t run smoothly.

Communicate effectively—when a cyberattack hits, there is going to be chaos. Competing priorities, maybe too many people trying to help but with no clear direction. Clearly communicating to your team and to the community will be critical. Make sure your response plan touches every part of your organization and that everyone within the hospital understands their part.

When it comes to a cyberattack there are two parts: the actual incident and the response to that incident. While hospitals should be taking their cybersecurity seriously to avoid any incidents—particularly by evaluating their current state of security with a ransomware vulnerability assessment [link], responding to an attack once your vulnerabilities were exposed is serious business. By designing and implementing a cross-departmental incident response plan, carefully designed and endorsed by your stakeholders, you’ll be able to strengthen public trust and persist to help your community after the ruinous attack is over.

Concerned about your cybersecurity but not sure how to keep your hospital secure?

Consider a FREE ransomware vulnerability assessment.