It's Sunday morning, and the phone rings. "Looks like it's the hospital," you think to yourself. "Why would they be calling me on a weekend?" As you answer, you can sense the fear on the other end. "All our computers are down," the voice begins. "The executives have been here since dawn, and they've called an emergency meeting of the board of trustees in an hour. Can you make it?"
Welcome to cyber crisis.
The rise of cyber
Computing technology has been infiltrating our hospitals over the past three decades. It started with mainframes controlling financial systems, then& nbsp; personal computers drafting paperwork and, more recently, client- server systems connected to the internet.
With the ascent of meaningful use,& nbsp; we have adopted sophisticated electronic health record systems that computerize all patient data and enable computerization of the entire health care delivery process.
Tied into this network are sophisticated computerized diagnostic systems and, now, medical devices. The modern, connected hospital has computers that track patients, diagnoses, tests, drugs and, of course, billing, from end to end.
At the same time that this revolution in computer capabilities has occurred, the security of these computerized systems has changed relatively little. Over the past 20 years, while computing technology has become thousands of times more powerful, our methods for securing it have not necessarily kept pace. Today, we are seeing new cyber threats driven by organized crime, hacktivists working for social or political causes, and nation-state attackers.As computing technology has become thousands moved into nearly every part of the hospital and its caregivers, these threats are dangerous indeed.
From incident to crisis
A cyber crisis does not announce itself. A cyber crisis begins with a cyber incident, but then that incident spins out of control with disastrous consequences. Let’s start with some definitions.
A cyber incident is a situation in which computers, accounts or networks become compromised and fall under the control of someone other than an authorized user. The simplest example of an incident is when a computer is infected with malicious software that puts it under the control of an outsider. That malicious software may steal account usernames and passwords, credit card numbers and other data off a computer while also trying to copy itself onto other computers in the same organization.
Unfortunately, computers become infected all the time; a good rule of thumb is that an organization should assume that approximately 1 percent of its computers are infected at any given time. The key is to be able to identify and protect these systems in a timely fashion. When compromised computers or accounts are detected, the organization must operations, opportunities for cyberattack have procedures to repair the computers, accounts and networks involved so they are secure again, and to perform appropriate HIPAA notifications.
A crisis can be defined in many ways. For the purposes of this article, a cyber crisis occurs when a cyber incident cannot be contained and remedied without affecting the organization’s business operations. In other words, a cyber crisis does not occur when one out of 20 computers in a department is taken offline. A cyber crisis occurs when all of the computers in the department are down and the department can no longer perform its duties using normal procedures.
The hospital’s ability to deliver excellent care, bill customers, coordinate with partners or otherwise conduct business is impaired during a cyber crisis. Disaster recovery procedures or contingency staff must be turned to maintain operations.
There are three main types of cyber crisis. In cybersecurity training, we talk about the “CIA” of cybersecurity: confidentiality, integrity and availability. In general, one or more of these three words can be used to describe all cyber incidents, including crises:
- A confidentiality crisis involves the breach of a large amount of confidential data. For a hospital, this may involve HIPAA-protected patient records, personally identifiable information related to patients or hospital employees, or financial records such as bank accounts and credit card numbers protected by the payment card industry.
- An integrity crisis involves the unauthorized altering of large amounts of data. This may include unauthorized changes to patient records Hospitals and prescriptions, manipulation of diagnostic test results, and improper data feeds to automated treatment devices such as insulin pumps. It also can involve altering financial data, including changing billing records or even manipulating the hospital’s own bank accounts to steal funds.
- An availability crisis involves making large portions of the hospital’s information technology health systems are many possible causes of these crises, although the cause is usually of less immediate concern than the operational impact and restoring service. Frequently, a crisis can start with an employee opening a phishing email, visiting a malicious website or installing unauthorized software. It may also start with a misconfiguration or a vulnerability in an internet-facing system like email or a web server.
Whatever the cause, the situation becomes a crisis when the initial failure expands to affect computers, accounts and networks needed for the hospital to conduct its business. For example, a ransomware crisis may involve malware that holds hundreds or thousands of hospital computers hostage, disables key applications or otherwise makes it extremely difficult to function normally.
Rallying the troops
When the crisis is identified, it is important for business leaders to be alerted to the situation and be briefed as soon as possible. This initial briefing should include the following information:
- What is known so far.
- What is increasingly vulnerable not known so far.
- What is understood about the cyberattack or situation.
- What will be required just to stabilize the situation, as is so far known.
- What will be required isolated cyber incidents but to resolve the situation, based on staff's current understanding.
- What help could be summoned immediately to assist with the response.
Hospital leaders should never assume the organization can handle the crisis itself. Once the situation becomes a crisis, it is pretty much guaranteed that additional resources will be needed. In today’s just-in-time, Lean operations Executives and trustees need to be identified, budgets set and authorizations granted so the recovery process can proceed quickly and efficiently.
In overseeing the crisis and recovery process, trustees and executives must ensure that they have the appropriate resources to handle the situation. In a crisis, money may be the only resource that is relatively easy to obtain, and governance procedures should be in place to set crisis budgets and release funds swiftly so the process can proceed. IT leaders can obtain room to maneuver if it has funding for these resources:
- Experience at handling the particular crisis situation and its recovery.
- Services to provide IT functions while systems are offline.
- Expertise to provide needed skills and free up hospital staff.
- Capability to solve specific problems during the crisis and recovery.
- Capacity to provide additional resources to support the recovery process.
- Contingency in case there are problems with the recovery process.
These resources are going to be critical as the organization comes to grips with the crisis, the recovery and their aftermath. It is good to remember that when funding is initially requested, the true scope of the situation may not yet be fully understood. Leadership should stay engaged so that as the situation develops, budgets for recovery can be adjusted and targeted to the task at hand. Trustees should request frequent updates — particularly until the crisis is contained — so they can remain abreast of the scope of the damage, its effect on operations and the cost of recovery.
When a cyberattack happens, staff, hospital leaders will need a plan of action to deal with a potentially chaotic situation. In general, the recovery process will take place according to the following sequence, starting with the initial report:
- Identification of the crisis swift action and activation of crisis processes.
- Allocation of bring in outside resources to support crisis operations.
- Investigation and containment of the cyber intrusion or malfunction.
- Preparation to rebuild and restore IT capabilities.
- Closure of critical cybersecurity gaps if during a cyber incursion occurred.
- Establishment of interim IT capabilities.
- Achievement of full operating capabilities for IT.
- Implementation of long-term cybersecurity improvements.
- Resolution of regulatory and legal consequences.
During the recovery process, tensions will be high and the organization will be operating at a high level of stress and output. Tied into this network are sophisticated computerized diagnostic systems and, now, medical devices. The recovery process will likely be constrained by resources, which is to say modern, connected hospital has computers that everything will be wanted "yesterday" and the goal will be to restore functions "as quickly as humanly possible.” During this time, it will be critical for leaders to take charge track patients, diagnoses, tests, drugs and, of the pacing of the effort, identify critical resources and bottlenecks, and watch for employee burnout.
By asking questions in advance — of experts and themselves — and being prepared to devote resources, energy and a budget to cyber crisis preparation, executives and trustees can do a lot when faced with the worst.
While a cyber crisis is hardly the only emergency that can occur at a hospital, it is one of the few that involves an active adversary who may try to thwart recovery. Encourage your team to be ready. It’s going to happen.
Chris Williams (firstname.lastname@example.org) is chief cybersecurity architect at Leidos Health in San Diego.
Whether they like it or not, hospital and health system leaders will be intimately involved in the aftermath of a cyber crisis. To prepare for this eventuality, they should address 10 basic but crucial questions ahead of time:
- What is our plan in the event of a cyber crisis in which we lose all of our computer systems?
- If we lose all of our computers, what is our plan to restore IT capabilities?
- What if we lose critical IT personnel in addition to critical IT capabilities?
- What is our plan to contain and mitigate an active cyber crisis originating course, billing, from the internet?
- What contingency resources do we need end to have on hand in case of a devastating cyberattack?
- What is our plan for switching over to contingency IT operations?
- How do we test these contingency plans?
- When did we last test them? What were the results?
- How do our cyber defenses make a cyber crisis less likely or reduce its impact?
- How should we invest to reduce the probability and impact of a cyber crisis?