As cyberattacks become more common, health care entities such as hospitals and insurance companies need to prepare for the inevitability that they will experience a breach or some other attack on their systems.
Doctors, hospitals and insurance carriers are entrusted with holding some of people’s most sensitive data, and hospitals can be a frequent target of hackers and other cyber criminals. Given the varying sources of cyberattacks and data breaches, hospitals should prepare for them in a similar way they would to other unexpected disasters, like a natural disaster.
“You’ve either been breached or you’re going to get breached,” Jason McNew, founder and CEO of Stronghold Cyber Security in Gettysburg, Pennsylvania. “Any organization that has data they need to protect needs to have an incidence response plan.”
Such planning helped Maryland’s LifeBridge Health when it discovered a data breach that could have affected the personal information of more than 500,000 people. Since then, the hospital’s forensics consultant has not found that any personally identifiable health infrastructure was ever taken out of the organization, but the preparation helped the health system respond when it discovered the breach, said Tressa Springmann, the system’s chief information officer.
“How would we leverage what we’re actually pretty well versed at when it comes to disaster preparedness,” she said. “Instead of having to reinvent the wheel, we already had some good-governance structures in place.”
To prepare for a cyberattack, LifeBridge has adapted a lot of the same protocols it would use for a natural disaster, taking cues from the tabletop sessions it holds to prepare for those events. Through those sessions, LifeBridge staffers held a number of “robust conversations” about preparing for something that they knew could happen. And preparing for the inevitability of some sort of cyber incident was necessary even if they hoped it would never happen.
“We have too big a commitment to our community to not have challenged ourselves to be thoughtfully prepared when and if something happens,” Springmann said. “I think that preparation served us well.”
If she took anything out of the experience from last spring’s data breach discovery, Springmann said, she wishes there could have been better communication about the plan internally.
“We were so focused, and appropriately so, on patient and community conversations, I think we could have done a better job with internal organizational communication,” she said. “And I think we did a good
job … it’s just that hindsight is 20/20.”
In addition to planning, organizations also need to have the kind of redundancies in place that can help when an attack happens. An especially important tool is making sure there are backups, and backups for
those backups. These can be useful in cases where an attack may tie up critical systems or a ransomware attack where data may be held until an organization makes a payment. If an organization already has that data backed
up, it is a lot easier to refuse to pay.
The Rochester Information Health Organization, like most regional health information exchanges, works with hospitals to back up that data. The organization communicates with health systems as part of their preparedness for natural disasters and, more frequently, cyberattacks.
“Because we have so much data that flows through the health information exchange, we are able to supply information that could be lost in an attack,” said Jill Eisenstein, the organization’s CEO. “They could log onto our system as a substitute.”
From nursing homes to hospital systems and various physician offices Eisenstein recommends that the information exchange be included when officials do their disaster planning.
And it is important not just for the largest systems or companies to think about their disaster planning. The smaller companies need to think about it, too; they just may not have the resources, said Al Redmer, Maryland’s insurance commissioner.
When he became commissioner in 2015, the Maryland Insurance Administration conducted a fact-finding mission to the state’s insurance companies to find out how they were dealing with cybersecurity as it
became a greater issue.
“What we learned was, that if you are a company like CareFirst or Geico, you have resources to do whatever you need to do,” he said. “If you are a little teeny-tiny mutual company, you don’t have the resources that the big guys do.”
It was important, Redmer said, to make sure even the smaller companies understood the gravity of the threat they could face from cyberattacks. He has found that companies tend to act in their best interest, knowing that a breach could result in a significant public relations hit.
McNew, the cybersecurity CEO, said every company should do a risk assessment. “That’s what cybersecurity is more than anything,” he said. “It’s risk management.”