How Rural Healthcare Systems Can Strengthen Their Resilience

Hall and other CalvertHealth leaders knew there was room for improvement, but amid tight budgets and competing priorities, an upgrade seemed too expensive. Instead, CalvertHealth migrated its EHR recovery site to Amazon Web Services.

Recovery time is now between two and four hours, Hall says, and CalvertHealth has since conducted two failover tests without anyone noticing.

“To me, it was a no-brainer. I thought, ‘If we don’t do it now, we won’t get to do it again.’ As a stand-alone, rural-based organization, we couldn’t achieve this on our own,” she says. “It was a huge win for us, and the driving piece of it was ensuring that we can deliver patient care.”

Rural Hospitals Have Unique Cybersecurity Challenges

While many healthcare systems across the U.S. face financial hardships and staffing shortages, smaller, rural hospitals are especially hard-hit and have been declining for more than a decade. Over 135 rural hospitals closed between 2010 and 2021, according to the American Hospital Association, with more hospitals at risk in the coming years.

In a troubling economic landscape, an increase in cyberattacks and vulnerabilities makes security investments imperative. Cyber incidents hit an all-time high in 2021, according to one analysis of government data. Still, Fitch Ratings warns that cybersecurity spending is likely to be a low priority for health systems focused on cost containment.

With all these concerns, rural health systems such as CalvertHealth face a sobering question: Can they afford to protect themselves?

But as rural populations continue to lack access to quality healthcare, the facilities that are still operating must remain able to respond to medical emergencies and otherwise serve their communities, says Natalie Schibell, vice president and research director at Forrester.

“Organizations have to consider the impact of cyberattacks on top of everything else,” she says. “If the economy doesn’t take them out, a cyberattack will. One click can shut down an entire hospital.”

Click the banner to learn how a partner can help independent hospitals solve IT challenges.

Taking Healthcare Cybersecurity From Education to Action

Much farther north, Rich Ingersoll joined St. Lawrence Health, which includes the 94-bed Canton-Potsdam Hospital, in late 2019 as director of systems engineering and architecture after working at Cisco for nearly 20 years.

His goal from day one: Shore up cybersecurity. This meant making investments in modern tools and services, such as managed detection and response from Arctic Wolf; secure remote access with multifactor authentication; and governance, risk management and compliance software. It also included process improvements, such as creating incident response playbooks and conducting tabletop exercises.

LEARN MORE: Extend threat hunting to your health system's backups with Rubrik Security Cloud.

To make the case for these types of investments, Ingersoll and St. Lawrence Health CIO Lyndon Allen base their annual financial plans on systemwide security audits. These help the health system view security and disaster recovery as high priorities, Ingersoll says.

A Ryuk-variant ransomware attack in October 2020 put some of the health system’s hospitals to the test.

“We were able to implement continuity of care, and we never lost EHR access in our clinics,” Ingersoll says. “We were diverting ambulances for a little bit, but we weren’t down very long. If we had had to turn cancer patients away, that would have been devastating.”

Once hospital operations returned to normal, Ingersoll used the attack as a learning opportunity. “One of the biggest lessons was that not everybody needed email,” which had been the attack vector, he says.

The Long-Term Impact of Improving Disaster Recovery Postures

New technology, better training, improved processes and a willingness to learn all help rural hospitals improve their disaster recovery posture. And with guidance from federal agencies such as the National Institute of Standards and Technology, the tide is shifting toward a more coordinated, holistic approach to cybersecurity.

At CalvertHealth, Hall says it also helps to keep in mind disaster recovery’s impact on the wider community. The health system conducts annual decontamination drills in conjunction with the nearby Calvert Cliffs Nuclear Power Plant. These drills help both facilities prepare to maintain operations during emergency situations.

The most recent drill included a ­ransomware attack. Had CalvertHealth’s previous backup technology been in place, “the hospital pretty much would have been brought to a screeching halt,” Hall says. Now, with a recovery time of less than four hours thanks to a cloud-based backup solution, the drill never reached that level of severity.

“It definitely changes your perspective,” Hall adds. “If people understand the impact of what happens when the system goes down, and we can bring it up faster, even when we’re getting hit with a lot of trauma because of a big event happening in the community, then it’s a win.” 

EXPLORE: Tips for healthcare organizations to prevent and respond to data breaches.