Health system cybersecurity threats: Will your patients be in the dark?

Cyberattacks are increasingly plaguing our healthcare system due to the rapid expansion of internet-connected technology, telemedicine, and remote support staff. In 2021, 66% of healthcare organizations were hit by ransomware[1], costing an average of $10.10 million[2] and resulting in an average duration of 20 days of downtime[3]. Healthcare providers spend less than 5% of their IT budgets on security[4], making them prime targets for an attack that can cripple clinical operations, presenting risks to patient safety and quality of care. Read how Vynamic partnered with a large, urban health system to map out off-line procedures across clinical and operational departments and prepared senior leaders and the incident response team to mobilize the enterprise in the event of an attack.

The challenge

While our healthcare system has been plagued by the challenges of COVID-19 over the past few years, another type of pandemic has also been causing irreparable harm: cyberattacks. When an organization experiences a cyberattack, the challenge to deliver safe care to patients is significant. Clinical decisions need to be made without the benefit of a patient record, automated procedure tools and devices, and without familiar communication channels. Unlike planned downtimes where one system is taken down at a time, a cyberattack presents a scenario where all systems are down at once, and recovery time can last for weeks to months. When the entire enterprise is taken ‘off-line’, it is critical that the organization is well prepared to operate safely and efficiently in this unfamiliar mode.

In 2021, a staggering 66% of healthcare organizations were hit by ransomware – a 34% increase from 2020¹. The pandemic accelerated the pace of attacks due to the rapid expansion of network and internet-connected technology and the shift to more telemedicine and remote support staff. Hospitals have focused efforts on compliance with federal requirements related to the privacy of patient data but have not prepared for the implications of a ransomware attack⁵. Healthcare providers spend less than 5% of their IT budgets on security⁴, making them prime targets for ransomware attacks. Data breaches in the healthcare industry cost an average of $10.10 million².

What makes the threat of a cyberattack so critical is that, unlike most downtime events, this touches the entire enterprise at once.

This risk goes beyond IT and security – it’s an enterprise-wide problem that needs to be addressed at multiple levels.

A large urban health system with over 15,000 employees and 600 beds understood and prioritized the need to develop a business continuity strategy to mitigate the impact of an extended downtime. While downtime procedures had been developed for many of their technology systems, there was no existing procedures documenting downtime clinical and operational workflows.

With an average duration of downtime after a ransomware attack of 20 days⁶, the client understood the urgency in developing off-line solutions to maintain patient safety and clinical operations. Cyberattacks result in longer lengths of stay, delays in medical procedures and tests leading to poor outcomes for patients, and an increase in complications from medical procedures. Nearly a quarter of healthcare providers report increased mortality rates following ransomware attacks.

As an internationally recognized, leading health system, the client sought help from Vynamic to do two things:

1. Develop ‘off-line’ procedures across prioritized clinical and operational departments, optimize efficiencies, map dependencies across departments, and identify significant cross-departmental gaps resulting in system-level vulnerabilities that needed to be addressed by leadership. This initial step in safeguarding their organization against a cyberattack was critical for remaining agile in the event of a catastrophic event.
2. Prepare senior leaders and the incident response team to mobilize the enterprise efficiently, precisely, and safely through a cyber security event to minimize the financial and operational impact.

The approach

Developing operational and clinical downtime procedures for a health system is an extremely complex process due to many factors: connected medical devices, multi-layered EMRs, physically disparate locations, and staff untrained on manual documentation. Vynamic partnered with Information Security, Emergency Preparedness, clinical leadership, and frontline staff to develop a strategy that would mitigate the impact of a potential attack.

Development of ‘off-line’ operational workflows across clinical & operational departments

With over 100 clinical and service departments in the hospital, Vynamic took a phased approach, identifying areas with the highest complexity and volume, to maximize the impact of the mitigation strategy. Cross-departmental dependencies were also factored in to optimize the efficiency and effectiveness of the downtime procedures.

In partnership with Information Security, Vynamic collected and assessed existing downtime procedures and an inventory of technology used by each department. Armed with this data, Vynamic engaged high priority departments in cross-functional, facilitated working sessions to identify strategies and workflows that optimized the use of limited technology.

Factoring in the physical environment, staffing, and available technology, a detailed, step-by-step downtime procedure was developed for each department. Insights were gathered from the cross-functional team to provide an accurate snapshot of the clinical workflow in the event of a cyberattack.

Interactive department mapping to illuminate gaps and efficiencies

Vynamic developed an interactive mapping of departmental procedures to clearly articulate the interdependencies, gaps, and efficiencies between departments. Decisions needed to be made across departments that were highlighted in the documentation.

The mapping was used for development of procedures, but also serves to guide users across workflows. Once completed, the interactive document lived in a secure location where all employees could access when needed. The document gave clear guidance on how to deliver end-to-end quality and safe care to patients during an enterprise-wide shut down.

Executive tabletop simulation of cyber event with senior leaders

In order to truly mobilize the enterprise in the event of a cyberattack, the senior leaders across critical areas (emergency preparedness, operational, clinical, and IT) must be making decisions seamlessly. Vynamic facilitated a session with senior leaders to simulate a realistic cyberattack to test governance models, communication pathways, and decision-making protocols. The key to success is in giving each department a role and making the tabletop as realistic as possible. Groups broke out into areas of focus (finance, 4 different clinical pathways, IT/security) to mobilize and make critical decisions. This exercise is critical to ensuring that the leadership of the organization is prepared.

The result

When a health system experiences a cyberattack, the delivery of safe care to patients is put to the ultimate test. An extended downtime not only jeopardizes hospitals’ financial stability and reputation but also endangers the lives of patients. This eye-opening exercise resulted in the:

• Creation of interactive mapping of patient care in the event of ‘offline’ mode
• Development of escalation pathways for leadership and incident management teams in the event of a cyber incident
• Detailed ways of working for communication across all levels of the organization

All employees of the organization, from senior leaders to clinical staff, are well positioned to care for patients and make important decisions in a thoughtful and methodical way in the event of a cyberattack. While we hope that our client will never need to use these procedures and plans, we are confident that they are well prepared should the event occur.

[1] https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/ransomware-attacks-against-healthcare/#:~:text=Ransomware%20attacks%20against%20healthcare%20organizations%20nearly%20doubled%20in%202021%2C%20report%20says,-Melissa%20D.&text=Two%2Dthirds%20(66%25)%20of,report%20from%20cybersecurity%20firm%20Sophos.

[2] https://www.secureworld.io/industry-news/healthcare-most-breached-industry#:~:text=IBM%20Security%27s%20%22Cost%20of%20a,%2C%20an%20increase%20of%209.4%25.

[3] https://www.statista.com/statistics/1275029/length-of-downtime-after-ransomware-attack/

[4] https://www.tripwire.com/state-of-security/healthcare-providers-need-to-increase-budgets-for-cybersecurity

[5] https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/05/18/ransomware-attacks-on-hospitals-put-patients-at-risk

[6] https://thecyberwire.com/newsletters/privacy-briefing/4/193