Everyone knows that cyberattacks and breaches are a significant and increasing threat to healthcare. You may also know that healthcare is far and away the #1 target for hackers and accounts for 88% of all ransomware attacks, and growing rapidly.
However, many hospitals misunderstand their level of business continuity preparedness for these unique types of crisis situations putting their patients and the hospital’s reputation at significant risk.
Need for an Immediate Emergency Response
At the recent HIMSS19 Global Conference in the Cybersecurity Command Center in Orlando we were surrounded by various companies offering cyber assessment, detection, protection and resiliency solutions. We certainly acknowledge the importance and value of these offerings. But we couldn’t help notice their apparent focus on the needs of the IT department to prevent infection and restore systems, at the neglect of clinicians and their patients who need an immediate emergency response to continue care.
Hospitals that have experienced responding to cyberattack lock downs or breach shut downs acutely understand this gap in patient information availability and the threat to patient safety, as well as a hospitals reputation.
But many others fail to comprehend the serious threats.
Mistaking Resiliency for Crisis Management
When we discuss the first response challenges to accessing patient information at the earliest stage of a cyber crisis, many hospitals think that they are already protected. They are mistaken.
Resiliency solutions such as backup server farms, remote data centers, virtualization and cloud storage solutions are important options for a cybersecurity restoration program. However, during a cyberattack they may also be infected and they will ALL be unavailable when a lockdown or shutdown first occurs. At a minimum it will take several hours, if not several days to restore systems hospital-wide with these solutions, and patient information will surely be out of date.
A Crisis Management solution ensures that a hospital has an immediate response for continuing patient care. This is commonly referred to as an Emergency Response Plan (ERP) or Breach Response Process.
The Consequences of Cyberattacks on Business Continuity
Hospitals that have experienced responding to ransomware lock downs or who have had to shut down systems to protect further exposure of patient information know the pain of these situations all too well.
For example, Cass Regional Medical Center’s EHR remained offline for investigation for 72 hours. During that time the state mandated that they divert trauma and 
stroke patients to other hospitals. In other situations, hospitals have had to hastily post notices at their entrances, closing doors to new admissions.
When Allscript’s EHR platform was hit with a ransomware attack for more than 24 hours, 2500 hospitals had “zero patient info available” for their:
- 7.2 million patients
- 180,000 physicians
- 100,000 prescribing physicians
- 45,000 physician practices
- 19,000 post acute agencies
- 40,000 in home clinicians
Imagine the challenges of continuing medication administration without a current eMAR or patient MPI to reference at the first stages of an attack.
Other scenarios can occur that threaten patient care such as when lab results, radiology and other clinical sources are unavailable.
There are even important operational information challenges — how do you access administrative forms such as patient consent and how will the IT department contact vendors by email or phone during a crisis for help when their systems are inaccessible?
In any case, it can bring a hospital to its knees, especially without a Crisis Management plan at the earliest stage of the crisis.
Are You Prepared for a Cyber Crisis?
Most hospitals have insurance policies for government fines, liability and malpractice associated with breaches and cyberattacks. But obviously that will not replace the need to protect patient safety, staff productivity, revenue, hospital reputation, and, ultimately, a hospital’s ongoing viability.
The risk of reputation loss and loss of future business were calculated in an annual study of 49 US companies. This study found that the organizations examined averaged more than $3 million in losses related to reputation loss, abnormal turnover of customers, increased customer acquisition activities, and diminished goodwill.
A hospital that is prepared for a crisis with an Emergency Response Plan to continue care will be thought of more highly by patients, their families and your staff, even if patient privacy is breached.
Your Takeaways
- Know the differences between detection/resiliency/restoration solutions and a Crisis Management/Emergency Response Plan
- Understand the threats to your patient care, workflow, revenue, hospital reputation and ongoing viability
- Be Prepared – have a Crisis Management/ERP solution in place to protect your patients and your hospital’s reputation!
