Health systems delayed appointments and procedures due to the disruption. Hospitals need procedures for serving patients when the worst happens.
The worldwide computer outages that affected hospitals this month illustrated how vulnerable health systems are in a connected world.
While hospitals have dealt with cyberattacks, this disruption was triggered by a faulty software update from CrowdStrike, a cybersecurity company. Since CrowdStrike is used in Microsoft Windows, businesses worldwide faced major problems.
Some hospitals didn’t have access to electronic health records and postponed appointments and surgeries. Thousands of flights were canceled or delayed due to the outages.
The disruptions also underscored another important lesson: Hospitals must have robust response plans and procedures for operating when key computer systems aren’t available.
Cybersecurity experts say the CrowdStrike debacle should be a warning sign for hospitals to review their response plans, and revise them if necessary.
Steve Cagle, CEO of Clearwater, a cybersecurity firm, tells Chief Healthcare Executive® that hospitals have made strides in developing plans for network disruptions. But he says there are some mistakes hospitals are making.
“What we have seen, unfortunately, in the past is a lot of these response plans are created and then may or may not be tested,” Cagle says.
“So it's important to keep those incident response plans up to date, to contemplate different types of scenarios that may occur, to exercise those response plans, very important against those scenarios, and then to learn from that experience, and then make further updates,” he says.
In the wake of the CrowdStrike disruptions, John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, urged health systems to use the opportunity to identify downtime procedures for live-saving and mission-critical technology. He also suggested hospitals should test their emergency plans and communications channels.
(Watch part of our conversation with Steve Cagle in this video. The story continues below.)
Business continuity plans
Some hospitals may have developed a response plan a few years ago, but haven’t made modifications to it, such as key leaders leaving the organization or the addition of new technologies.
Health systems need to design response plans that can be deployed at the worst possible time, such as an attack early in the morning or over a weekend. Plans should also include multiple contacts and backups, just in case some top leaders can’t immediately be reached.
“What if somebody is on vacation? What if somebody is not available? Who's next in line to make those decisions? I don't think people are thinking about that all the time. Because at two o'clock in the morning, it's not always easy to get people, so you have to have a chain of backups that are going to be available. And so yeah, I think that's a big challenge,” Cagle says.
Hospitals also need to have robust business continuity plans, he adds.
“The business continuity plan should be informed by a business impact analysis,” Cagle says. The analysis should include an assessment of how different technologies support key business processes, and the impact if those technologies aren’t available for some time.
Some hospitals also fall short in their response plans by planning for outages that last for a short time, rather than developing contingencies for being without key technologies for longer periods.
“That's an area that we've seen a lot of challenges, because when these types of assessments and incident response plans and business continuity plans are created, a lot of times organizations don't think about being down for long periods of time, extended periods of time,” Cagle says. “And it's one thing if you're down for a few hours, right? You might be able to live off or survive off of these backup procedures, maybe with minimal impact. But what happens if now you're down for days, weeks, maybe even over a month?”
The Ascension health system encountered such a scenario when it experienced a ransomware attack in the spring. Some hospitals were without access to their electronic health records for weeks, and some appointments and surgeries were delayed.
The Joint Commission has released guidance for hospitals and health systems in dealing with cyberattacks and developing response plans. The commission stresses that providers should develop continuity plans to deal with key systems being down for weeks.
“Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer,” the commission suggests.
Hospitals also need to develop contingency plans if they manage electronic health records from a central location, and if disruptions are occurring at multiple hospitals.
The Joint Commission also suggests hospitals should assemble multidisciplinary teams from across the organization to develop response and continuity plans. Those teams should include leadership, IT experts, hospital emergency managers, nursing, pharmacy, operating rooms, and food services, among others.
Think about vendors
Hospitals should also look at revising response plans if they work with a new vendor who adds a new technology to the system, Cagle says.
Health systems should be in regular contact with their vendors to gauge their vulnerabilities, and offer to work with them to address any issues.
And hospitals should also have a response plan if a key vendor that provides essential services is having problems. Hospitals and medical groups nationwide were disrupted by the Change Healthcare cyberattack, because the company handles so many business functions for providers, from billing to pharmacy services.
“It's not only your organization,” Cagle says, adding, “What if you have a vendor that's down for an extended period of time?”
Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, told Chief Healthcare Executive® in a February interview that response plans should be crafted with expectations that attacks or disruptions could occur when there is limited staffing.
“Attackers follow our holiday calendar,” Steinhauer says. “They know when we're asleep, they know when we're celebrating Christmas, and they plan their attacks around those times on purpose.”