Preparing Healthcare for Cyberattacks

Understanding the Vulnerability

The healthcare sector faces unprecedented threats from cyberattacks, exacerbated by the shift to digital medicine and the widespread use of electronic health records. This increase in digital reliance has made healthcare organizations attractive targets for malicious actors. Cyberattacks not only disrupt online systems but can also jeopardize patient care. As these threats escalate, hospitals need to brace for potential crises to safeguard both patient health and sensitive data. Compliance with varying state and federal cybersecurity regulations is essential, as highlighted during a recent Healthcare Dive event on November 5. Additionally, providers must navigate significant financial challenges, including tight margins, federal spending cuts, and high staff turnover.

Expert Recommendations for Cyberattack Preparedness

Experts shared four key strategies for hospital leaders to bolster their defenses against cyberattacks.

1. Invest in Recovery as Much as Prevention

While hospitals may prefer not to dwell on worst-case scenarios, it is crucial to invest equally in recovery efforts as in preventive measures. According to William Scandrett, chief information security officer at Allina Health, healthcare providers should develop continuity plans for patient care and simulate operations during “downtime” when systems are offline due to a cyberattack. “We have to spend as much time on recovery and operating in downtime as we do in prevention,” Scandrett stated. Prioritizing essential operations, especially those critical to patient care, can help organizations streamline their recovery efforts. Heather Costa, director of technology resilience at the Mayo Clinic, emphasized aligning recovery priorities with both clinical and business needs.

2. Drill, Drill, Drill

Comprehensive and frequently updated cyberattack response plans are vital. Joshua Justice, cyber threat intelligence manager at Health-ISAC, recommends that training exercises are central to preparedness. Tabletop exercises, which simulate responses to cyberattacks, enable healthcare leaders to understand how different departments—such as IT, legal, and administration—will react. Barry Mathis, managing principal of IT advisory consulting at PYA, warned against viewing incident response as a linear process, emphasizing its complex nature. Practicing documentation methods during downtime and patient care workflows without technology is critical. “If you’ve never practiced, now is a good time to start,” Mathis advised.

3. Assess Risks from Vendors

Healthcare organizations face significant risks from third-party vendors, which can introduce vulnerabilities. As hospitals increasingly rely on external partners for various services, the potential for cyber threats rises. Sanjeev Sah, SVP of enterprise technology services and CISO at Novant Health, stressed the importance of conducting thorough cyber due diligence on potential vendors. Evaluating their security measures and incident history is essential before entering into contracts. Additionally, with the rise of artificial intelligence, careful vetting of new vendors is critical to minimize risks.

4. Navigate Differing Regulations

In the aftermath of a cyberattack, hospitals must also manage compliance with both state and federal regulations concerning reporting and data security. Providers must adhere to the Health Insurance Portability and Accountability Act (HIPAA) and be aware of specific state laws. Pavel Slavin, CISO of Endeavor Health, highlighted the complexities involved in maintaining compliance while managing cyber incidents. Organizations may also face additional requirements from vendor contracts, which can necessitate quicker reporting of cyberattacks than what is legally mandated. Slavin cautioned against equating compliance with security, stating, “They’re not synonymous.”

Conclusion

As cyberattacks continue to pose significant risks to healthcare, it is imperative for organizations to adopt a multi-faceted approach to cyber preparedness. By investing in recovery, regularly training staff, assessing vendor risks, and navigating regulatory landscapes, hospitals can better protect themselves and their patients from the ever-evolving threat of cyberattacks.