Trustee talking points
- As computing technology has moved into nearly every part of the hospital and its operations, opportunities for cyberattack have multiplied.
- Hospitals and health systems are increasingly vulnerable not just to isolated cyber incidents but to far-reaching cyber crises.
- Executives and trustees need to ramp up to a war footing, take swift action and bring in outside resources during a crisis.
- Trustees need to prepare for cyber crises by asking leadership the right questions and making sure their organization has the pieces in place to be ready for an attack.
It’s Sunday morning, and the phone rings. “Looks like it’s the hospital,” you think to yourself. “Why would they be calling me on a weekend?” As you answer, you can sense the fear on the other end. “All our computers are down,” the voice begins. “The executives have been here since dawn, and they’ve called an emergency meeting of the board of trustees in an hour. Can you make it?”
Welcome to cyber crisis.
The rise of cyber
Computing technology has been infiltrating our hospitals over the past three decades. It started with mainframes controlling financial systems, then personal computers drafting paperwork and, more recently, client-server systems connected to the Internet.
With the ascent of "meaningful use," we have adopted sophisticated electronic health record systems that computerize all of our patient data and enable computerization of the entire health care delivery process.
Tied into this network are sophisticated computerized diagnostic systems and, now, medical devices. The modern, connected hospital has computers that track patients, diagnoses, tests, drugs and, of course, billing, from end to end.
At the same time that this revolution in computer capabilities has occurred, the security of these computerized systems has changed relatively little. Over the past 20 years, while computing technology has become thousands of times more powerful, our methods for securing it have not necessarily kept pace. Today, we are seeing new cyberthreats driven by organized crime, hacktivists working for social or political causes, and nation-state attackers. For the digital hospital and its caregivers, these threats are dangerous indeed.
From incident to crisis
A cyber crisis does not announce itself. A cyber crisis begins with a cyber incident, but then that incident spins out of control with disastrous consequences. Let’s start with some definitions.
A cyber incident is a situation where computers, accounts or networks become compromised and fall under the control of someone other than their authorized user. The simplest example of an incident is when a computer is infected with malicious software that puts it under the control of an outsider. That malicious software may steal account usernames and passwords, credit card numbers and other data off the computer while also trying to copy itself onto other computers in the same organization.
Unfortunately, computers become infected all the time; a good rule of thumb is that an organization should assume that approximately 1 percent of its computers are infected at any given time. The key is to be able to identify and protect these systems in a timely fashion. When compromised computers or accounts are detected, the organization must have procedures to repair the computers, accounts and networks involved so they are secure again, and to perform appropriate Health Insurance Portability and Accountability Act notifications.
A crisis can be defined in many ways. For the purposes of this article, a cyber crisis occurs when a cyber incident cannot be contained and remedied without affecting the organization’s business operations. In other words, a cyber crisis does not occur when one out of 20 computers in a department is taken offline. A cyber crisis occurs when all of the computers in the department are down and the department can no longer perform its duties using normal procedures.
The hospital’s ability to deliver excellent care, bill customers, coordinate with partners or otherwise conduct business is impaired during a cyber crisis. Disaster recovery procedures or contingency staff must be turned to to maintain operations.
There are three main types of cyber crisis. In cybersecurity training, we talk about the “CIA” of cybersecurity: confidentiality, integrity and availability. In general, one or more of these three words can be used to describe all cyber incidents, including crises:
- A confidentiality crisis involves the breach of a large amount of confidential data. For a hospital, this may involve HIPAA-protected patient records, personally identifiable information related to patients or hospital employees, or financial records such as bank accounts and credit card numbers protected by the payment card industry.
- An integrity crisis involves the unauthorized altering of large amounts of data. This may include unauthorized changes to patient records and prescriptions, manipulation of diagnostic test results, and improper data feeds to automated treatment devices such as insulin pumps. It also can involve altering financial data, including changing billing records or even manipulating the hospital’s own bank accounts to steal funds.
- An availability crisis involves making large portions of the hospital’s information technology systems unavailable to provide service. It could be the loss of a principal system such as the EHR database or the hospital’s billing system. It could be the loss of patient treatment systems including medical devices or diagnostic systems such as magnetic resonance imaging scanners. Finally, it could be the loss of administrative systems such as email or the disabling of large numbers of the hospital's personal computers.
There are many possible causes of these crises, although the cause is usually of less immediate concern than the operational impact and restoring service. Frequently, a crisis can start with an employee opening a phishing email, visiting a malicious website or installing unauthorized software. It may also start with a misconfiguration or a vulnerability in an internet-facing system like an email or web server.
Whatever the cause, the situation becomes a crisis when the initial failure expands to affect computers, accounts and networks needed for the hospital to conduct its business. For example, a ransomware crisis may involve malware that holds hundreds or thousands of hospital computers hostage, disables key applications or otherwise makes it extremely difficult to function normally.
Rallying the troops
When the crisis is identified, it is important for business leadership to be alerted to the situation and be briefed as soon as possible. This initial briefing should include the following information:
- What is known so far.
- What is not known so far.
- What is understood about the cyber attack or situation.
- What will be required to stabilize the situation, as is so far known.
- What will be required to resolve the situation, based on staff's current understanding.
- What help could be called in immediately to assist with the response.
Hospital leadership should never assume the organization can handle the crisis itself. Once the situation becomes a crisis, it is pretty much guaranteed that additional resources will be needed. In today’s “just in time,” “Lean operations” and Six Sigma world, organizations simply do not have the surge capacity to keep the lights on and deal with a crisis situation simultaneously. This is where trustees come in. Funds will need to be identified, budgets set and authorizations granted so the recovery process can proceed as quickly and efficiently as possible.
In overseeing the crisis and recovery process, trustees should make sure that hospital leaders are asking for the appropriate resources to handle the situation. In a crisis, money may be the only resource that is relatively easily obtained, and governance procedures should be in place to set crisis budgets and release funds swiftly so the process can proceed. IT leadership can obtain room to maneuver if it has funding for these resources:
- Experience at handling the particular crisis situation and its recovery.
- Services to provide IT functions while systems are offline.
- Expertise to provide needed skills and free up hospital staff.
- Capability to solve specific problems during the crisis and recovery.
- Capacity to provide additional resources to support the recovery process.
- Contingency in case there are problems with the recovery process.
These resources are going to be critical as the organization comes to grips with the crisis, the recovery and their aftermath. It is good to remember that when funding is initially requested, the true scope of the situation may not yet be fully understood. Leadership should stay engaged so that as the situation develops, budgets for recovery can be adjusted and targeted to the task at hand. Trustees should request frequent updates — particularly until the crisis is contained — so they can remain abreast of the scope of the damage, its effect on operations and the cost of recovery.
When a cyber attack happens, staff, hospital leaders and trustees will need a plan of action to deal with a potentially chaotic situation. In general, the recovery process will take place according to the following sequence, starting with the initial report:
- Identification of the crisis and activation of crisis processes.
- Allocation of resources to support crisis operations.
- Investigation and containment of the cyber intrusion or malfunction.
- Preparation to rebuild and restore IT capabilities.
- Closure of critical cybersecurity gaps if a cyber incursion occurred.
- Establishment of interim IT capabilities.
- Achievement of full operating capabilities for IT.
- Implementation of long-term cybersecurity improvements.
- Resolution of regulatory and legal consequences.
During the recovery process, tensions will be high, and the organization will be operating at a very high level of stress and output. The recovery process will likely be constrained by resources, which is to say that everything will be wanted "yesterday" and the goal will be to restore functions "as quickly as humanly possible.” During this time, it will be critical for leadership to take charge of the pacing of the effort, identify critical resources and bottlenecks, and watch for employee burnout.
By asking questions in advance — of executives, experts and themselves — and being prepared to devote resources, energy and budget to cyber crisis preparation, trustees can do a lot when faced with the worst.
While a cyber crisis is hardly the only emergency that can occur at a hospital, it is one of the few that involves an active adversary who may try to thwart recovery. Encourage your team to be ready. It’s going to happen.
Chris Williams (firstname.lastname@example.org) is chief cybersecurity architect at Leidos Health in San Diego.
Whether they like it or not, hospital and health system trustees will be intimately involved in the aftermath of a cyber crisis. To prepare for this eventuality, trustees should direct a number of questions to leadership ahead of time:
- What is our plan in the event of a cyber crisis in which we lose all of our computer systems?
- If we lose all of our computers, what is our plan to restore IT capabilities?
- What if we lose critical IT personnel in addition to critical IT capabilities?
- What is our plan to contain and mitigate an active cyber crisis originating from the internet?
- What contingency resources do we need to have on hand in case of a devastating cyberattack?
- What is our plan for switching over to contingency IT operations?
- How do we test these contingency plans? When did we last test them? What were the results?
- How do our cyber defenses make a cyber crisis less likely or reduce its impact?
- How should we invest to reduce the probability and impact of a cyber crisis?