Healthcare Cybersecurity Grand Rounds: Six Steps to Deliver a Proactive Security Plan

On 04 October 2022 CommonSpirit Health announced a cyberattack affecting its system of healthcare facilities. CommonSpirit Health operates more than 1,000 care sites and 140 hospitals in 21 states, including CHI (Catholic Health Initiatives) Health and MercyOne facilities in Iowa.

CommonSpirit reported on their website that the attack affected their electronic medical record (EMR) and CHI Health and MercyOne have notified their patients that patient portals, electronic prescriptions, and scheduling have been affected, with some procedures delayed.

This latest attack on the US healthcare system, targeting one of the largest hospital chains in the country, is nothing short of cyber terrorism and further confirms that any entity—even those with dedicated healthcare cybersecurity teams—can be affected. 

So, what can we learn from this? Below, we’ve outlined the six steps to creating a proactive plan for your healthcare cybersecurity.

1: Prioritize Network Segmentation

The biggest takeaway here is the need for organizations to prioritize network segmentation to isolate systems that support patient care and reduce breach impact. Network segmentation is vital to ensuring life-critical care remains uninterrupted during both attack and remediation.

2: Implement Zero-Trust Policies

Are your business-critical and life-critical systems separated to ensure continuity of care? Implementing a zero-trust policy within an organization can help mitigate the blast radius of a ransomware attack.

3: Expand Your Defense Arsenal

Prioritizing defense in depth by use of MFA (Multi Factor Authentication), RDP (Remote Desktop Protocols), a bastion for access outside the facility beyond firewalls, and implementing IAM (Identity Access Management) policies may seem rudimentary, yet they can contain the impact of a ransomware attack. These measures are widely accepted within the cybersecurity community but can find adoption challenges in healthcare. 

As a provider, I hated nothing more than the extra clicks it would take to verify my identity and how quickly things would time out. Having complicated passwords added a level of complexity that I did not appreciate in my clinical day, and I had staff who would routinely write them down on a sticky note by their monitor to ensure I was not interrupted when with a patient. I can promise you: I was not in the minority. Now, as a healthcare cybersecurity practitioner, I fully understand the level of risk that those actions imposed on the viability of my practice; however, early in my career nobody took the time to explain the danger of not following those actions nor how they could potentially snowball into inability to provide patient care and possibly loss of life.

4: Practice Your Incident Response Plan

Secondly, make sure to practice the existing incident response plan at least twice a year (if not quarterly) and ensure key stakeholders understand their role, from unit charge nurses to the CEO. Consider this: If something happens, how are you going to run prescription orders to pharmacy? Who ensures that food service is providing the correct diet for the patient in 1103-West? Does every single nurses’ station have a binder with current paper chart forms, imaging order forms, and billing forms? Is there a procedure to have the next day or two days’ patients printed by clinic in case of an IT (Information Technology) failure? Everyone needs to understand how to remain operational should an attack occur. 

5: Invest in an Incident Response Retainer

Additionally, invest in an incident response retainer to ensure that, should a ransomware attack occur, you have knowledgeable professionals working immediately to reduce overall impact to your facility. This can be the differentiator between being down a few days or months. You will lose critical time needed to isolate the actors for containment and remediation as you fill out paperwork to get your cyber insurance to respond. They will then assign you to a group that will engage according to their negotiated contract with the insurance company. Like a trauma patient, every second counts when trying to ensure a positive outcome. This is no different. 

6: Ensure Coverage By Performing Annual Reviews

Two final actions I recommend every facility invests in are the completion of a comprehensive annual risk assessment that considers the reality of the current environment and ensuring 24x7x365 coverage of network security operations. Continuous security coverage can be obtained either via staffing or outsourcing MSS/MDR services to a trusted provider that can detect any anomalies quickly. By the time you get the readme.txt file demanding a ransom, it is too late. Catching the malicious activity in the beginning, as they move throughout your system is critical. 

Let [redacted] Help Defend You From Healthcare Cyber Attacks

There are many nuanced parts of delivering healthcare, from food service orders, mag doors in securing OR theaters and ICU, and physician ordering to pharmacy to front office billing and scheduling. During a ransomware attack, it is critical to ensure that each component within each ward, clinic, and component of the facility and provider network are clean and free of threat actor activity. This unfortunately takes time. Let [redacted] help defend you from healthcare cyber attacks. Schedule a call today.