14 Ways Cyberattacks Can Hamper Healthcare — and 13 Ways to Prevent Them
John Riggi, AHA’s national advisor for cybersecurity and risk, shared examples of how cyberattacks threaten safety in healthcare.
BOSTON — While cyberattacks are a significant concern for nearly all industries, the industry that arguably has the most to lose is healthcare. In 2022, 44 million individuals were impacted by medical breaches.
As of September 2023, that number is already at 66.3 million and is expected to grow to nearly 100 million by the end of the year.
On Sept. 7 and 8, the non-profit Healthcare Information and Management Systems Society (HIMSS) hosted its Healthcare Cybersecurity Forum. At the summit, authorities in the healthcare cybersecurity space shared how to proactively shield healthcare’s expanding digital footprint and secure data beyond the confines of a healthcare facility.
During the forum’s opening keynote, John Riggi, the American Hospital Association’s National Advisor for Cybersecurity and Risk, discussed the global cyber threat landscape, including healthcare risk, impact, and response.
The biggest risk, Riggi said, is healthcare’s dependency on technology. When it suddenly becomes unavailable, like during a ransomware attack, there is significant disruption that ultimately risks patient safety.
Discussions regarding cyberattacks against healthcare facilities often focus on stolen patient data and protected health information; however, Riggi says only 8% of attacks involve stolen electronic medical records (EMRs).
While this shows that EMRs are relatively safe and not being significantly penetrated, it means the data that is being hacked lies outside the EMR, unencrypted.
According to Riggi, the primary healthcare cyber threat is third- and fourth-party cyber risk exposure through business associates, medical devices, and supply chains. For instance, most of the 10 largest healthcare data breaches in 2022 were tied to vendors.
Riggi shared examples of reported clinical and business impact of these ransomware attacks on healthcare facilities, including:
- Radiology/imaging/PACs/diagnostic technology down: All could lead to stroke and trauma diversion
- Cath lab down: Could lead to heart attack diversion
- Risk to patient safety: Emergency department shutdowns lead to ambulances being placed on full diversion; rural distance delay of emergency treatment; impact trauma center availability
- Telemetry systems inoperable: Additional staff required for patient monitoring; impacts home health care telemetry
- EHR (electronic health record) rendered inaccessible: patient history, treatment protocols, drug allergies/interactions unknown; delay in rendering care
- Lab results unavailable or delayed: Certain ailments/sicknesses are fatal if not treated in a timely manner (i.e. streptococcal sepsis)
- Drug cabinet/pharmacy systems down: Could lead to patients not receiving medication in a timely manner, drug diversion
- Ransomware “blast radius:” Affects other providers who are dependent for ED, EMR, labs, imaging, and cancer treatment; additional third parties are disrupted
- Loss of VoIP phones and email systems
- Regional impact and stress based on capacity of surrounding hospitals
- Simultaneous loss of all network and internet-connected information, medical and operational technology: Downtime computers lost or limited data
- ED wait times significantly increased
- Elective surgeries canceled
- ADT forms and instructions unavailable
Preventing Healthcare Cyber Attacks, Mitigating Impact
To combat the growing impact of cyber threats, AHA recommends healthcare organizations take the following steps to improve cybersecurity which in turn improves patient safety:
- Integrate plans: Integrate and coordinate cyber incident response, emergency management, incident command, business continuity, and disaster recovery plans. Business continuity plans should specify plans for clinical continuity and operational continuity during a partial or full loss of mission-critical technology.
- Readiness, Response, Resiliency, and Recovery (4R concept): The cyber incident response plan should be developed on an organization-wide basis. All system-level, hospital-level, and department-level actions and responses, including all IT, operational, business, and clinical functions, should be defined in the plan for the duration of the incident and for post-incident recovery.
- Regional, Readiness, Response, Resiliency, and Recovery (5R concept): It is recommended that regional cyber incident response and communication plans be developed for a high-impact cyber attack having a regional impact on healthcare delivery. Leverage emergency preparedness plans and mutual aid agreements. Plans should consider contingencies to possibly accommodate the diversion of patients and functions between facilities as needed to provide assistance to impacted facilities with a surge of personnel, communications, medical devices, and technology. Regional facilities will also face increased strain or collateral impact.
- Enhance downtime procedures to sustain operations, with technology, for up to four weeks for every life-critical, mission-critical, and business-critical system and technology to sustain clinical and business operations for four weeks, without the benefit of technology. Enhance clinical, operational, financial, and administrative downtime processes and proficiency of staff on all shifts. Ensure downtime supplies are in place or external printing arrangements have been made to continue operations and care delivery through manual procedures in the event of a simultaneous loss of medical, information, and operational technology.
- Identify clinical and mission-critical third-party services and establish downtime procedures if their services are unavailable: This includes cloud and technology service providers. Determine clinical, operational, and information technology impact if they are struck with ransomware and their services become unavailable — establish compensating on-premises downtime procedures, including manual procedures and backup strategy.
- Designate downtime coaches and downtime safety officers for each shift: The loss of access to the EMR/EHR may cause disruption and delay to healthcare delivery as a significant proportion of staff may not be proficient in manual downtime procedures. Loss of embedded safety and treatment protocols in the EMR/EHR may increase the risk to patient safety.
- Network backup status, segmentation, and security: Recommended regular cadence of vulnerability and penetration testing of backups. Review, document and communicate estimates of network restoration time objective and restoration point objective. Implement immutable backup solution as part of standard 3-2-1 backup strategy: 3-2-1+1 immutable backup copy.
- Document roles that have designated and delegated authorities to make independent, high-impact decisions during a cyber incident/crisis such as disconnection of the organization from the internet or shutting down of large parts of the network, under defined urgent circumstances (3D concept: Document, Designate, and Delegate authorities)
- Define and document “triggers” or facts and circumstances authorizing high-impact decisions, such as organizational disconnection from the internet. Specify leadership escalation, incident command activation, and staff notification protocols. “Trigger” examples include indication that ransomware is spreading or beaconing to external “command and control” or indication of ongoing data exfiltration.
- Define internal impact to life-critical, mission-critical, and business-critical devices and services: Map clinical, operational, and administrative impact of decisions related to a complete or partial shutdown of internal network or internet disconnection. Document impact and incorporate it into the overall incident response plan and communicate it to leaders.
- Define external dependencies’ impact, especially external clinical dependencies, which may be impacted or disrupted by a ransomware attack against your organization and the unavailability of your network, such as impact to other hospitals, clinics, and homecare telemetry.
- Review cyber insurance coverage: Determine the sufficiency of covered based upon risk profile and current cybersecurity posture. Determine proficiency of incident response assets and your confidence in them prior to an incident. Review “act of war” exclusion given current geopolitical events. It is recommended that plan information be kept highly secured and encrypted with limited access to prevent adversary discovery.
- Review business associate agreement for breach notification and insurance requirements: Determine to whom the breach is to be reported 24/7 and the timeline (24-72 hours of data theft, immediate for ransomware). Includes weekends and off-hours.
The original version of this post appeared on SSI’s sister site, Campus Safety.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.