Ensuring Patient Care in an Era of Ransomware

It’s news no healthcare provider wants to hear: they’re the victim of a ransomware attack. As a result, critical systems are down, and patient care is at risk. 

No healthcare organization is immune to ransomware or other cyber-attacks, from giants like Change Healthcare to independent health systems like Hancock Health. In fact, 67% of healthcare organizations experienced a ransomware attack in a 12-month period—up from 60% the previous year, according to Sophos.

Recovering from these attacks can take weeks or even months. Healthcare IT systems are exceptionally complex and massive in scale, with hundreds or thousands of systems and numerous departments, subcontractors, and third-party vendors. As result, these systems are highly decentralized, with data spread across many locations.

Tracking assets and data and managing user access in such a dynamic and complex environment make it difficult to protect against ransomware and cyber-attacks. Malicious actors can easily penetrate unpatched systems, and employees may be susceptible to deceptive, well-crafted phishing emails.

In this second article in our series on mitigating healthcare breach risks, we’ll share best practices for ensuring patient care in a crisis—even when systems are unavailable and the return to normal operations is a long, slow, and complex process. 

Prevent and Protect Where Possible

It’s a near certainty a healthcare provider will face a ransomware attack or cybersecurity incident. However, managing risk and access to sensitive patient information can help mitigate the likelihood or impact of such an attack. Consider the following:

• Regularly risk assess your high-volume PHI systems. Pondurance offers NIST-based risk assessments to healthcare clients that include: 

  • Inventorying critical assets, including hardware, software, data repositories, and applications

  • Using real-time threat intelligence to identify and analyze emerging risks 

  • Assessing vulnerabilities due to unpatched software, misconfigurations, or inadequate security controls

  • Analyzing and prioritizing risk, based on their significance and potential impact

  • Providing customized risk mitigation strategies, such as technical controls, employee training, and incident response planning

• Right-size access roles. Regularly review not only who has access to critical systems but the level of access needed to do their job—ensuring it aligns with the “minimum necessary” principle. 

In addition, identity and access management (IAM) must account for unique situations, such as staff with multiple or changing roles, ad hoc access from third parties, or overlapping system access needed for patient care. 

• Use centralized access and logging mechanisms. With the focus on patient care, IT and security teams rarely get all the controls, features, and functionality they’d like. To manage this, implement centralized authentication such as single sign-on (SSO), and improve visibility through log aggregation.

• Segment your networks. Minimizing what systems and users can connect to helps reduce the spread of a ransomware attack. This means network and access segmentation should be a high priority. Too often, a user can simply plug into a hospital wall port and instantly gain access to the clinical network. 

Look beyond Ransomware 

Ransomware is only one way systems may go offline. Incident response plans should address a broad range of scenarios, from a high-profile cyber-attack to power loss. Focusing too narrowly on the cause rather than the impact of an incident can lead to failure in other situations. The same policies, criteria, and procedures should apply to various types of incidents.

Include the Patient Care Team in Incident Response Planning

The medical staff are responsible for ensuring continuity of care, even when access to critical systems is blocked. Their input is critical in incident response planning, whether for a ransomware attack or other incident type.

Planning and tabletop exercises give the patient care team an opportunity to identify and prioritize critical services needed to maintain care. Similarly, the IT team can set criteria, that when met, should trigger a switch to paper documentation—regardless of the incident’s cause. 

When an incident does occur, IT and security teams should communicate with medical staff about the time and effort it will take to return to normal operations. This could include a rough timeline of what to expect when, such as approximately how many days until IT expects core services to resume. A trained point of contact from the patient care team—likely leadership—can keep staff updated and informed on next steps.  

Get Your House in Order

Even though organizations invest in security tools and recovery services, they may overlook other aspects of risk management, such as  governance. Yet, a review of these critical elements costs nothing and can go far in helping prepare for an incident. Establishing a clear chain of command and having well-documented procedures, such as for incident escalation, can save valuable time during response and recovery. 

Prepare for Recovery

Often, incident recovery can be a long and challenging process. Reintegrating paper data into electronic systems is time consuming, and recovery from backups or from decrypting systems is complex. Your cyber insurer may help cover the cost for supplementary data entry staff or additional IT support. Whatever is needed, disaster recovery and business continuity planning should include business leaders and the patient care team—not just IT.

Learn from Near Misses

In cybersecurity and incident response, near misses offer valuable lessons that can improve both prevention and recovery efforts. It’s easy to overlook these opportunities, but they offer learning moments for practicing incident response processes. When an actual incident does occur, IT, security, and patient care teams aren’t scrambling to both understand their procedures and address the crisis simultaneously.

Lean on Trusted Experts 

When it comes to responding to a ransomware attack or other type of incident, no organization can do it alone. Patient care is the top priority for healthcare providers, and the most resources are allocated to fulfilling that mission. 

To minimize breach risks from an incident, many organizations turn to experienced partners like insurers, legal counsel, and cybersecurity experts. At Pondurance, we help healthcare providers detect and respond quickly to cyber incidents, reduce damage, and prevent future attacks. 

We also work closely with internal and legal teams to contain threats, investigate root causes, and restore normal operations. And with 24/7 monitoring and specialists in forensics, malware, and eDiscovery, we ensure evidence is handled properly and sensitive patient data is protected.

Incidents are inevitable, but with the right preparation and partners, you can minimize the impact while continuing care for the people who matter most—your patients.

Learn more about our incident response services and download our playbook on how to reduce breach risks.