How to Prevent and Respond to a Cyberattack: From a Health System That Lived It

— The surge in health system breaches should prompt action

MedicalToday
A photo of Chris Van Gorder, EMT, MPA
Van Gorder is a health system executive.

On the evening of May 1, 2021, Scripps Health -- with its five acute care hospitals, 1,300 inpatient beds, and more than 20 outpatient facilities -- was hit with a ransomware attack. It took approximately 3 weeks to clear the systems, months to convert manual records to electronic records, and years to deal with the regulatory and legal issues that followed.

It is important to remember that hospitals hit with ransomware attacks are victims of international crime. Healthcare is part of the U.S. critical infrastructure, so an attack on healthcare and hospitals should be an especially significant matter of national concern. Protecting hospitals against attacks directly relates to saving lives and ensuring community health. I believe additional government support is needed to address the threat, and that we should consider healthcare security standards that, if complied with, could lead to regulatory and legal/liability relief.

In today's digital age, where technology plays a crucial role in healthcare, an effective cyberattack can impact patient care, compromise sensitive data, and disrupt critical operations. Given the recent surge in cyberattacks on hospitals and healthcare infrastructure -- such as the attack on Change Healthcare -- and in the spirit of helping other healthcare systems improve their defenses, Scripps offers the following lessons learned from our breach.

  1. Strong Foundation in Cybersecurity. A framework-oriented approach to cybersecurity, baked into all aspects of daily operations, addresses the overwhelming majority of cybersecurity threats. Frameworks such as the Center for Internet Security Critical Security Controls, the NIST Cybersecurity Framework, and CISA Cybersecurity Performance Goals cover the basics like patch management, access control, endpoint detection and response, encryption, and continuous monitoring. What was once thought of as advanced protection is now the minimum and must be implemented with consistency and diligence.
  2. Employee Training and Awareness. Employees are the first line of defense against cyberattacks, so employee awareness and training around these potential threats is crucial. Hospitals should prioritize training programs that educate staff on the identification and reporting of phishing attempts and other potential cyber risks.
  3. Effective Incident Response Plan. Having an incident response plan in place is also crucial to minimizing the impact of a cyberattack. This plan should involve predefined steps for immediate action, clear communication channels, and roles and responsibilities assigned to key personnel. Regular drills and simulations will test the effectiveness of the plan and highlight areas for improvement. If your organization carries cyber insurance coverage, we recommend including your carrier in these exercises, as they are an invaluable source of information for key partners you may work with during an attack.
  4. Collaborative Approach and Information Sharing. Cybersecurity threats in the healthcare industry are ever-evolving. Hospitals need to adopt a collaborative approach to information sharing with peers and develop awareness around vulnerability disclosures. Engaging with industry peers, government agencies, insurers, and cybersecurity experts fosters a culture of knowledge sharing and helps to collectively stay ahead of the ever-changing threat landscape. Also, consider the creation of alternate communication channels for staff and the public to ensure your ability to proactively communicate during system downtime when computers or networks are offline.
  5. Clinical Operational Readiness. It's never been more important to continuously update your business continuity and downtime policies and procedures, and conduct periodic downtime drills. Include training on completing paper clinical documentation and functioning without technology, including alternate communication methods and written prescriptions -- which are especially important for those physicians and clinical staff who have only worked with electronic health records. It's also advisable to identify and review cloud-based technologies that may complement your procedures through automation. Additionally, consider further standardizing downtime forms and procedures for ongoing maintenance; create storage areas for hard-copy downtime forms, and store digital forms on separate media drives (since you may not have existing computers available); assign runners to assist with delivering imaging and lab orders and results back to clinical teams; maintain a printed staff directory for use during technology disruptions; and remember to incorporate important information in downtime documentation to support charge capture, billing, and coding when systems are back online.
  6. Priority-Driven Response. Promoting situational awareness and operational alignment throughout a cyber incident is vital to clinical and business continuity, as expectations for safe, high-quality care during a cyber-attack are unchanged. A well-run command center is a hub for direction and decision-making, and becomes a nerve center for critical updates, operations coordination, monitoring, and reporting on restoration activities as well as for crisis communications and for managing a joint response to ongoing challenges. Additionally, a landline-based phone bridge line can help to provide consistent and timely communications and facilitate collaboration among technological, operational, and other response teams.
  7. Collaborate with Federal Law Enforcement. The threat posed by ransomware and other forms of cybercrimes represents one of the greatest threats to healthcare organizations and to all companies. Actively collaborating with federal law enforcement provides these agencies with critical information to take meaningful action against significant adversaries. Before, during, and after a cyber event, a strong public-private partnership is important to prepare for and address these serious crimes and hold these criminal enterprises responsible.

Solving these challenges will require collaboration internally and externally as you work to address both technical and operational concerns. Success will be dependent on the effort you put forward to prevent, prepare, and respond.

is president and CEO of Scripps Health, based in San Diego, and a fellow of the American College of Healthcare Executives.