The healthcare industry reported more ransomware attacks than any other critical infrastructure sector in 2023. With the escalation of attacks in scale and intensity, it is clear that conventional healthcare cybersecurity methods have proven inadequate. A significant shift is required to combat increasingly sophisticated attacks.
For example, incident response—the standard processes and technologies used to detect and respond to cyber threats—has worked well for most industries, such as retail and finance. However, what sets healthcare apart is not the complexity or number of IT systems; instead, it’s the responsibility for the care and safety of humans.
Patient-Centric Incident Response
Incident response in healthcare should reflect the patient-centric approach seen in other critical areas of the industry. Unfortunately, most incident response programs, practices, and policies primarily prioritize data protection. Even healthcare regulations and standards such as HIPAA, NIST – CSF, and NIST 800-53 provide a false sense of security because every guideline, regulation, and requirement mainly focuses on protecting data rather than giving direction, best practices, or even advice on protecting the patient. While safeguarding data is crucial and often the primary justification for cybersecurity investments and compliance with regulations, healthcare’s primary focus should always be to protect the patient and ensure uninterrupted care.
Part of the problem is that cybersecurity responsibilities often fall under IT, and most programs are extremely hierarchical. Healthcare is no exception. Since most cyberattacks are executed within 15 minutes, hierarchical response plans involving multiple layers of approval and permission-seeking are impractical in this context. Conventional playbooks and practices are often abandoned within those 15 minutes, and ad-hoc measures take precedence.
In comparison, the most effective clinical teams operate with minimal hierarchy, especially in critical life-or-death scenarios. This non-hierarchical approach to patient care should be mirrored in incident response planning. For example, with a patient-centric approach, responsibilities extend to other teams as well, such as clinical staff, clinical engineering, compliance, etc.
Mortality Rates Increase After a Breach
In the high-pressure healthcare environment, time is of the essence when responding to potential cybersecurity events, and the response itself can have detrimental impacts on patient care. For example, a Vanderbilt University study found that “…following a breach, time-to-EKG and mortality rates both rose and continued to rise for about three years before tapering off.” The report further explained that “it’s the post-breach remediation efforts that are impacting these time-sensitive processes and patient outcome measures.”
Using breach data from the Department of Health & Human Services and quality data on more than 3,000 hospitals over four years, researchers found that the average time-to-EKG increased by as much as 2.7 minutes and an increase in the 30-day mortality rate for heart attacks translated to as many as 36 additional deaths per 10,000 heart attacks per year. This is just one example of how a significant cyberattack can increase patient mortality.
A Four-Step Plan for Moving to Patient-Centric Incident Response
Cyberattacks inevitably affect patient care, even if patients are not the direct targets. Let’s use a ransomware attack to illustrate this. Once the attack begins, the healthcare environment is thrown into a state of frenzy. Conversations across departments revolve around the attack’s implications—from concerns about compromised systems and the reliability of critical patient data to questions about personal data security. The focus shifts from patient care to the potential fallout of the cyberattack, leading to a demonstrable decline in the standard of care provided.
To effectively mitigate the impact, the entire organization must recognize its primary role in safeguarding patients when orchestrating a response. For example, clinical staff should have defined actions to take once a cyberattack is known to be in process (for instance, immediately take current vital signs of patients connected to medical devices). Keeping the patient at the forefront is paramount, and every aspect of incident response, including disaster recovery, should prioritize patient well-being.
When developing a modern patient-centric incident response plan, the following four-step process should be considered and integrated:
Step 1- Patients
The incident response plan must be designed to ensure no impact on patient care. When prioritizing system recovery, decisions should be based on what will benefit the patients the most.
Step 2- Staff
Supporting and empowering the staff on the ground during a cyberattack is essential for delivering excellent patient care. Addressing their concerns and uncertainties is crucial. This support should extend beyond the IT department to the entire organization, ensuring everyone knows how to respond and can stay focused on patient safety.
Step 3- Family
Proactively addressing the concerns of patient families and friends is vital. Effective and early communication is necessary, especially in the aftermath of a cyber incident. People will seek answers and reassurance, so having a plan for addressing their valid concerns is essential.
Step 4- Systems
The long-term goal is to restore and protect the IT systems. The recovery order should align with clinical guidance from teams prioritizing patient care. When bringing systems back online, consideration should be given to the acuity of patients in the ICU, for example, and the plan should be aligned with patient care objectives.
In summary, a thorough patient-centric incident response plan will prioritize patients, evaluate staff needs, address family concerns, and consider system status and recovery objectives. This will remain the ongoing focus, minute by minute and hour by hour, until a known state is achieved.
Putting the Plan in Action: The First 72 Hours of an Attack Response
The choices and actions taken in the critical first 72 hours following a cyberattack are of utmost importance and will be the most high-liability decisions. Incident response plans should center around the actions taken within this critical timeframe, focusing on implementing a well-rehearsed response strategy.
Within the first 90 minutes of an incident, ensure that patients are effectively managed and clinicians have the necessary resources to stabilize the situation. At the same time, map different areas of responsibility. Engaging in open conversations with clinicians and hospital staff is essential in transitioning from the initial 90 minutes to the first eight hours, during which staff care becomes a pivotal consideration. Assessing staff morale, psychological well-being, and overall engagement is paramount in an adequate response.
Moving into the subsequent eight- to 24-hour window, ensure family communications are ready. Efforts should be directed toward maintaining effective communication and reducing disruptions to keep teams focused on patient care. As the timeline progresses from 24 to 72 hours, the focus shifts towards prioritizing and recovering systems. At all times, priorities should be aligned with patient acuity and needs, guided by insights from clinicians, and dictated by real-time circumstances, not the playbook. This is a very different form of disaster recovery, and few organizations know how to execute it.
Establishing a blended model for the command center, managed by on-site personnel focused on patient safety and complemented by an executive command center handling operational and legal aspects, can also help to ensure a comprehensive and effective response throughout a cybersecurity incident. Adapting to the challenges that arise, particularly during non-traditional hours, is crucial. This may involve rethinking the composition and operation of the command center to maintain an effective response even during off-peak hours.
Regarding system restoration, simply bringing systems back online does not guarantee immediate usability. Restoration processes, especially in cybersecurity incidents, can be lengthy and complex. This underscores the need to diligently assess and clear systems for operational use, even after they have been technically restored.
Conclusion
The healthcare industry must shift from protecting data to prioritizing patients. Understanding the unique challenges and timelines associated with recovery from a cyberattack is the key to developing comprehensive, effective, patient-centric incident response plans. By prioritizing an incident response framework focused on patient care, staff well-being, communications with family and friends, and system restoration, healthcare organizations can mitigate the impact of cyber incidents.
About Mike Donahue
Mike Donahue is the Chief Delivery Officer at CloudWave where he manages CloudWave’s security and platform operations in addition to advisory, technical, and consulting services with the focus on delivering an excellent customer experience.