Preparing For and Responding To Ransomware Attacks

March 2016

Last month, a U.S. hospital’s IT system was held hostage by a ransomware attack that demanded payment to unlock access to the network. The system was down for two weeks, forcing administrators to redirect patients to other hospitals and clinicians to revert to recording patient information on paper.

Hospitals are often more vulnerable to ransomware and other cyber attacks than businesses in other industries like financial services. Their digital transformation came late, and the simple reality is that many IT systems weren’t installed with cybersecurity in mind. At BDO, we hear of health care cyber attacks on almost a weekly basis, and we expect those attacks to increase and grow more sinister.

What’s a hospital to do? Expect to get hit, and know how you’ll respond.

The Fundamentals of a Cybersecurity Preparedness Framework

Creating a preparedness framework – not dissimilar to a Joint Commission survey framework — helps hospitals set themselves up so when they do get hacked, they can prevent further infiltration, minimize damage, and quickly redirect staff to practiced protocols that ensure patient care isn’t compromised.

The fundamentals are:

Assess IT workflow and people to determine potential vulnerable areas
Vulnerability is defined both by technological weaknesses and by the sensitivity of the systems and the data they contain. A breach of data-reliant treatment areas would cause clinical problems, as patients’ past and recent medical records would be unavailable which could affect treatment plans and decisions. Building IT perimeters makes it possible to shut down data-reliant treatment areas such as interventional radiology, cardiac catheterization and the ICU to protect them from infiltration until the malware issue is addressed.

Incorporate cybersecurity into your future assessments of new partnerships, as well. As health connectivity moves beyond a hospital’s four walls, weak points can be created if the connections are not properly set up.

Assign responsibilities and train team members on cybersecurity
A breach will necessitate responses from nearly all departments across the enterprise, so the response team should draw from team members in legal, compliance, IT, information security, clinical operations, community relations, etc. Team members should understand reporting laws, their roles, and the various types of cybersecurity breaches and what is and isn’t impacted so they can respond appropriately to their stakeholders.

As providers develop care delivery networks, they can build cybersecurity disaster recovery into their collaboration. Approach area hospitals to act as resources in the event of a breach, critical patients may need to be transferred out. Critical processes, such as lab work and other data (radiology, cardiac monitors, etc.) may also have to be outsourced. Agree on backup protocols, and figure out together how you can get back up and running faster, even if in a modified way, by working together.

Create and run scenario training events
“Tabletop exercises” that walk step by step through an incident response plan can uncover planning and response gaps and lead to preventive remediation work.

Scenario training events can also include department-level training and drills to practice the plan so each hospital employee understands their role, and so the incident response team can gather the insights it needs to apply the learning from one breach to prevent future breaches.

Prevention is the Best Cure
As vulnerable areas are identified, hospitals may choose to introduce new resources to their prevention and response protocols. A variety of early detection systems and technologies, including artificial intelligence, machine learning and probabilistic mathematics, are already in use in other industries to identify malware and intrusions that have gained access to IT systems. Hospitals can contain these infiltrators by identifying them early on and preventing them from accessing what they want to access.

The good news is that even as attacks proliferate, the ability to detect them and respond has exponentially increased. Hospitals that empower themselves to respond will have a good sense of what is going on and what needs to be addressed – as opposed to those who are caught off guard and can merely react as they try to figure out the problem and how to resolve it.