Last week, we hosted a webinar to discuss the challenges healthcare operators face when responding to cyber security incidents. Our presenters, Michael McKinley, Vice President and General Manager at Delta Risk, Chris Holda, Senior Healthcare IT Consultant, Huntzinger Management Group, and Ed Kopetsky, Chief Information Officer at Stanford Children’s Health and Advisor with Next Wave Health Advisors, provided valuable insights to help healthcare professionals reduce risks and improve incident response practices.
Here are five important action items information security and biomedical professionals can take away from this webinar.
Treat Risk Analysis as a Business-Wide Analysis
Risk analysis should go beyond a compliance review of the HIPAA Security Rule. It needs to be treated as a business-wide analysis and foundational control that involves key stakeholders. Start by having an in-depth conversation around how protected health information (PHI) is used and safeguarded across the organization. You also need to jointly identify which threats could compromise the integrity, availability, and confidentiality of that data.
It’s important to have an honest and open discussion when you evaluate the effectiveness of your current security controls. Are there specific factors that led you and your team to believe that these controls are ineffective or insufficient? The goal of a risk analysis is to get to the root of the problem.
Next, you need to determine if residual risks are acceptable from a business perspective. If they aren’t acceptable, what steps do you need to take to remediate those risks? Ultimately, you need to think outside of the box and account for all the possible risks that could come from unexpected places.
Don’t Treat Risk Analysis Like an Audit
Risk analysis is a living, breathing process. It needs to be built to last beyond any one individual. Unlike an audit, a risk analysis is not meant to be a clean report. If you’re treating it like an audit, and you’re aiming for no risks to be identified, you’re really missing the point.
From a regulatory perspective and a security perspective, the objective of a risk analysis is to identify and document as many potential risks as possible. Hopefully those risks will be minimized, but the documentation is very important from a due diligence perspective and to be better prepared to manage risks on an ongoing basis.
Identify Essential Stakeholders for Effective Incident Response
Just as it’s important to bring all the key stakeholders together when you’re developing a risk analysis plan of action, it’s equally critical that you require full participation of your stakeholders for incident response (IR). Beyond IT leadership, that group should include the C-suite, clinical leaders, public relations, and marketing.
Collectively, you need to clearly understand what the impact is to your organization. The first place to start is usually patient safety. Here are the questions you should consider:
- Can patients be seen safely?
- What’s the impact of patient care?
- What needs to be communicated to the clinicians?
- Financially, can your business still function? Can bills get paid?
- Can orders get placed, and can your business function as it needs to?
Reputation wise, hopefully any impact is small enough that it doesn’t draw media attention, but if the media does get involved, you’ll want to make sure that your organization is managing the event from a public relations perspective. The public relations staff needs to have the necessary information regarding the organizational impact, when the systems will be back up to normal, and some basic details about the attack itself that’s easy for customers and end users to understand.
Ensure Continuity of Care
As you move quickly to ensure continuity of care is maintained, you need to identify all the integration points across health systems – labs, pharmacy, radiology, portals, and ambulatory systems – which are all interconnected in some way.
A lot of these integrated systems may not actually be classified as “tier one” but they can still impact the continuity of care for patients. You must consider workflow and workarounds when you’re in a down state or a reduced capability state. The technical recovery process of getting everything back online and fully functional may seem like a straightforward process – but be careful. It’s not a time to rush, even though there will be tremendous pressure to get everything up and running as swiftly as possible.
Understand Your Resources Before Remediation
Before you act, you absolutely need to ensure that you understand what technical resources you will need for the situation at hand. Depending on the nature of the incident, your technical recovery game plan will vary greatly, whether it’s a ransomwareattack, an insider threat related outage, or a malware service attack.
As you begin to work on containing the issue, make sure you know the limitations of your technical team. Jumping in to remediate the problem before you’re ready is a recipe for failure. Remember, early decisions can impact your ability to fully recover.
Summary
Incident response shouldn’t fall on any one department. It’s not just an IT issue anymore.
Bring in experts if needed. They can help guide you through the process and can often supply a deeper textual understanding of how to recover since they will have more real-world experience for these types of events. You should also involve your vendors, even you aren’t sure you’re going to need them. They can provide additional resources and additional assistance – get them engaged as soon as possible to save time and mitigate any further damage.
View the webinar, “Preparing for Cyber Risks to Healthcare Operations: Be Ready, Not Sorry,” in its entirety to learn more about the steps your organization needs to take to handle the next cyber-attack.
Delta Risk is also a sponsor and exhibitor for the upcoming Delaware Valley and New Jersey Chapters of HIMSS 10th Annual Fall Conference, “Celebrating 10 Years of HIT Collaboration, Leadership & Learning.” Learn more about the speakers and agenda.