Potential Disruptions to Healthcare Organizations’ Continuity
The interconnected nature of healthcare operations ranging from large, sprawling healthcare systems to doctors’ practices means there are numerous risks and vulnerabilities that can affect normal operations.
These include natural disasters, power outages, physical security breaches, and human error. Each of these represents the potential to infect a wide range of operations including healthcare delivery, financial systems, clinical activities, research, and more.
Cyberattacks, however, are dramatically rising and impact healthcare organizations’ business continuity in substantial ways. According to research with healthcare industry IT and security leaders, 89% of their organizations suffered an average of 43 attacks over the past year — nearly one attack each week.
Those cyberattacks take many different forms — malware, identity and credentials theft, social engineering, advanced persistent threats, zero-day attacks, and ransomware. Cyberattacks in the form of data breaches, compromised data integrity, physical security threats, and interruptions of critical infrastructure operations threaten to disrupt business continuity.
The Growing Threat of Ransomware in Healthcare
Ransomware is a fast-growing and particularly challenging cybersecurity threat for all industries. Unit 42® found that ransomware was the most-often-confronted attack in the prior 12 months.
Healthcare organizations face ransomware threats at an extremely high rate, according to Unit 42’s incident response data, adding that hackers demanded an average ransom of $1.4 million from healthcare organizations.
Ransomware is particularly devastating to healthcare operations because organizations understand that protected health information (PHI) and personally identifiable information (PII) cannot be compromised, making them extremely vulnerable to hackers’ demands. Hackers also often attack systems controlling healthcare delivery such as cardiology, radiology, oncology, and more. If those systems go down, the impact on health outcomes will be devastating.
Why Healthcare Is a Prime Target for Cyberattacks
Healthcare organizations face unique challenges because of the extremely high value of patient healthcare data, such as PII and PHI, to hackers. Hackers often target healthcare organizations because hospitals and other care facilities are highly motivated to sidestep anything that disrupts medical and business operations.
Another key issue is physical infrastructure. Health systems contain a large number of diverse endpoints — not just servers, desktops, and notebooks. A growing number of smart medical devices now are connected to hospitals’ networks, and many internet of medical things (IoMT) devices often lack the same level of protection as traditional computing endpoints.
Also, the growing trend toward telemedicine means patients typically are using their own consumer-grade devices, networks, and cloud services, all of which may lack the cyber resilience delivered by internal IT and security teams.
How Healthcare Business Continuity Directly Impacts Lives
The cost of ensuring data security in the healthcare industry is substantial in several ways: financial, operational, legal, regulatory, and brand reputation. But few would debate that the biggest risk in unplanned business interruptions is the direct impact on patient health and lives.
If heart monitors, infusion pumps, or dialysis machines fail because of a cyberattack, patients’ health can be severely compromised. The same is true for digital critical infrastructure that controls power, HVAC, and communications systems.
For example, if Emergency Department operations are compromised, patients might not receive full assessments, diagnostic equipment can malfunction, doctors can’t be scheduled, and patients might get rerouted.
Costs of Downtime in the Healthcare Sector
The negative impact of healthcare operations downtime is measured in several ways.
1. Financial
The costs of restoring service when attacks interrupt operations include repairing or replacing capital equipment, as well as bringing on outside experts to help with the restoration.
2. Legal
The theft of PHI or PII can lead to legal actions brought by patients, vendors, business partners, or other parties whose data is compromised.
3. Regulatory
Healthcare is a highly regulated industry around the world. Regulatory bodies have guidelines that carry steep penalties in the event of data loss, patient privacy compromise, or unavailability of critical care.
4. Brand reputation
If a medical facility or doctor’s practice suffers a service interruption due to a cyberattack, patients and others affected surely will share their negative experiences with others.
Research indicates that the average cost of a healthcare data breach now exceeds $10 million, a figure that has climbed steadily from year to year.
How to Ensure Business Continuity in Healthcare
Ensuring that healthcare delivery organizations take every reasonable step to protect their business and medical operations starts with an executive commitment to devoting the right financial, personnel, and technological resources to cybersecurity. Several key steps follow.
1. Identify Risks and Assess Impacts
It’s vital for healthcare organizations — regardless of their size or organizational complexity — to take the time to identify all risks that could trigger a cyberattack and result in a business interruption. Technologies, processes, and people all are potential points of failure, and the impact of a breakdown in any of those areas should be calculated to determine how decision-makers should allocate their time, personnel, and budget.
Bringing in an experienced, independent third party such as a cybersecurity technology partner or consultant to evaluate risks and assess the potential for business disruption can be practical. Often, a third party can objectively assess not only technical risks but also organizational preparedness to deal with those risks to business continuity.
2. Protect Your Data
Having strong network security for both on-premises infrastructure and cloud services is where it all starts. Solutions such as next-generation firewalls, malware protection, IoMT security, data loss prevention, and cloud security are essential parts of a comprehensive cybersecurity plan for healthcare organizations.
Security automation is another key aspect of data protection in healthcare since hospital resources are often stretched thin. With automation, IT and SOC teams can automate their incident response and eliminate a large number of manual alerts every day. This allows security staff to focus on much larger projects in the organization.
3. Add Backup Solutions
Because of the critical nature of PII and PHI, as well as the necessity to keep critical infrastructure up and running, backup systems should be planned, installed, and periodically tested. This includes data protection software, on-premises infrastructure for failover, and off-site backup facilities — either in a remote location or in the cloud.
Be sure to speak with your cloud service provider about how their own backup and failover systems work in case your cloud services are interrupted.
Benefits of Business Continuity Planning
A key requirement in today’s healthcare landscape is to ensure that backup systems, failover plans, and steps to ensure full operations in the event of an unplanned outage is having automated systems in place. But simply making sure that backup generators fire up or that essential workloads move from one cloud platform to another one is only part of the solution.
It must start with having a detailed, flexible plan in place so the automated steps consider when, where, and how to make services immediately available without compromising patient safety or business operations. That plan must be worked out with all parts of the organization: IT, cybersecurity, administration, medical teams, legal, compliance, financial, and operations.
Having all stakeholders actively participate in and contribute to the business continuity plan makes for a more successful effort in the long run. It also is essential that the plan be tested at regular intervals to make sure everyone knows their role and that backup systems and services actually kick in as expected and needed. Ultimately, this thoughtful, inclusive approach will save money, avoid regulatory and legal problems, and — most importantly — ensure the highest possible patient care.
Learn about how Palo Alto Networks is the cybersecurity leader of choice for hospitals and health systems around the world. Visit www.paloaltonetworks.com/healthcare.
Healthcare Business Continuity FAQs