Security

Cyber Resilience in Healthcare: Mitigating Hospital Downtime

To maintain uptime after cyberattacks, healthcare organizations require robust incident response plans, backup strategies and training such as tabletop exercises, experts say.

Brian T. Horowitz

Twitter

Brian T. Horowitz is a writer covering enterprise IT, innovation and the intersection of technology and healthcare.

Cyberattacks in healthcare are on the rise, and the industry must not only develop strategies to fight off these incidents but also keep systems up and running at the same time. That involves a process called cyber resilience.

Healthcare organizations must plan for network outages, possible electronic health record downtime and outages of vital medical systems if a surprise ransomware attack, such as a vishing or a man-in-the-middle attack, occurs.

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center (Health-ISAC), says that organizations have shifted from simply preventing attacks to detecting and responding to them as part of a cyber resilience effort.

“It’s the monitoring, speed to action and response to mitigation,” Weiss says. “That is what matters today.”

Cyber resilience is how organizations maintain continuity during and after an attack. While cybersecurity allows organizations to defend against an incident, cyber resilience involves identifying and recovering from an attack.

Tim Morris, chief security adviser for the Americas at Tanium, compares cyber resilience plans to changing a passenger’s seat in flight or while refueling. That means patching applications while other applications are running simultaneously.

“You have to be able to run everything, patch it and not suffer the downtime from a consumer point of view,” Morris says.

Click the banner below to learn how to get the most out of your zero-trust initiative.

x-zerotrust-guidance-animated-2024-seewhat

Cyber Resilience Before a Cyberattack

To boost healthcare cybersecurity before an attack, organizations should participate in training such as tabletop exercises, in which they discuss what they would do in an emergency.

“In a tabletop exercise, we want to bring the executive team together in one room and put them around a big table and role-play out an event from end to end,” says Andrew Stone, CTO for the Americas at Pure Storage.

Weiss says that a tabletop exercise consists of a conversational narrative in which participants discuss how they would communicate during a cyberattack, such as writing an email and sending it out to staff.

He recommends that organizations conduct penetration testing to find gaps in security. For example, organizations should test EHRs to avoid platform downtime, Weiss advises. Previously, organizations were focused on compliance with HIPAA privacy laws and not as concerned about healthcare cybersecurity, Weiss says.

Healthcare organizations must also have an incident response plan that incorporates law enforcement and first responders. Prepare these teams for how to maintain continuity if a hospital needs to take in 1,000 patients during an emergency. An incident response plan before an attack involves a robust backup, which can be done in a few hours rather than weeks, Morris says.

“You can get past ransomware if you’re well prepared, because all you’re doing is you’re restoring data,” Morris explains.

Weiss recommends steps such as keeping passwords up to date, setting up multifactor authentication and backing up critical systems. Also test that backups are working, complete and reliable, he adds.

Cyber Resilience During a Cyberattack

When a cyberattack occurs, get law enforcement involved and contact the FBI, Weiss advises.

“They’re going to be looking for evidence of the attack and understanding what the impacts have been and what data may have been stolen as part of that incident as well,” Weiss says.

Work with legal and internal counsel and corporate communications on a strategy to deal with the public when word gets out, he advises.

But try to contact the FBI before the “house is on fire,” Morris says. He notes that his organization has monthly meetings and goes out to educate people on what to do during an attack.

“If you get a ransomware attack, the FBI might already have the decrypter because they’ve seen it already, and they want to know the bitcoin address because it helps them track for international law enforcement,” Morris says.

At Health-ISAC, Weiss observes the information sharing that occurs during a cyberattack. Sharing what is happening is critical for other healthcare organizations to learn from them to prevent the next one, Weiss suggests.

“We certainly see plenty of organizations that are that are willing to share even during an incident,” he says. “I’ve worked with the FBI in the past, and the agency is very receptive to sharing things like that with a trusted, close community.”

You can get past ransomware if you’re well prepared, because all you’re doing is you’re restoring data.”

Tim Morris Chief Security Adviser for the Americas, Tanium

If systems are scrambled and backups are not working, organizations will need to think about whether to pay a ransom. Cyber insurance providers can help with this decision, Weiss says.

“Unfortunately, I think it comes down to a business decision at that point, if you’re left with no choice, and it comes down to the fact that we need to get these systems back up and running because we’ve got patient lives at stake,” he says. “Ultimately, there may be a reason to pay a ransom and get things back up and running.”

If organizations can restore complete backups on their own, then paying a ransom is unnecessary, Weiss says.

When backups are not being done or they are incomplete, healthcare organizations face a business decision about whether to pay the ransom to restore systems. Organizations should consider the business cost, such as how long a backup will take and when the last backup was captured, he says.

The key goal during a cyberattack is to “stop the bleeding,” Morris says. However, unplugging essential services is often an overreaction during this time, he adds.

“If you’re a mature IT ops and cybersecurity organization, it rarely goes to that level where you’re unplugging everything,” Morris says. “You don’t cut off an entire arm just because the fingernail got smashed.”

Stone also warns against unplugging systems so that you will have resources to investigate after an attack.

“What we should never recommend is turning the power off to a system, because once you do that, you lose almost all if not all of the forensic capability,” he explains. “So, let a system run, isolate them to the extent you can. Use virtual networking rules, physically pull cables, but try not to turn them off.”

When people panic and turn off all systems during an attack, “that’s not resiliency,” Morris says, “because you’re not operating at all at that point.”

Cyber Resilience After a Cyberattack

Stone warns that backup is too slow to use to recover after an attack. He recommends a strategy of “tiered resiliency.” The first two tiers consist of snapshots, which are fast to recover. The second snapshot tier is used for forensic review, and the third tier involves backup, according to Stone. “That backup tier is for long-term data retention and data compliance and possibly the recovery of an application that you can be without for a very long period of time.”

“I’d recommend three to seven days of our Safe Mode snapshots on the primary arrays,” he says. “From there, you put a middle tier of lower cost storage in place. You copy those snapshots off the primary tier, and you keep them as long as you can afford, preferably six to 12 months, because you will use those for forensic purposes down the road.”

He says that organizations should take a look at patch management, vulnerability scanning and identity management. Many breaches occur due to stolen credentials and unpatched vulnerabilities, Morris notes.

As far as identity management, Stone recommends that organizations vault credentials. “You have to go and check out admin credentials, use them for a period of time, and then they get checked back in and those credentials get rotated,” Stone says.

The time following an attack is useful to figure out what happened. However, avoid finger pointing during this time, Morris advises.

“After a cyberattack is when you’re going to learn the most about your tools, people and processes,” Morris says. “You want to take advantage of that time, because there's no time like that as far as opportunities.”

Pekic/Getty Images