Security

The Minimum Viable Hospital: Protect Patient Care and Build Cyber Resilience

Prioritizing the most critical functions for recovery can prevent healthcare organizations from paying a ransom following a cybersecurity breach.

Josh Howell

As Rubrik’s healthcare CTO, Josh Howell partners with leading healthcare organizations to develop and implement cyber resilience strategies and business continuity plans. He translates key lessons learned from major attacks into proactive preparation measures, helping organizations mitigate the accelerating challenge of cybercrime.

Healthcare’s mission — prioritizing patients’ well-being — is struggling under the pace of cyberattacks. The numbers clearly demonstrate this threat. This year, there have been roughly 130 health systems attacked in a 90-day period. Cyber incidents correlate with an increase in mortality rates, a 30% rise in medical errors during events and an average of 17 days of operational disruption. We’re also seeing backup systems become prime targets, with 74% of attacks compromising them, underscoring how claims of “immutability” ought to be questioned.

Restoration becomes far more challenging and costly when recovery systems are compromised. Even more concerning, over 50% of healthcare organizations have paid ransoms to stop the release of stolen patient and staff data in recent years. However, paying ransoms only encourages more attacks and undermines the entire health system. The best deterrent against future attacks is proving a healthcare organization won’t pay a ransom.

To address these challenges and build true resilience where it counts the most, it can be helpful to think in terms of the “minimum viable hospital.” The MVH thought exercise acknowledges the complexity of recovering from a cyberattack and helps healthcare organizations set expectations for preserving critical functions in the wake of an attack. Lessons learned at other systems include a period of running at a reduced capability while forensic investigations are completed. It’s critically important to understand the relative priority of essential applications and systems needed for the continuity of clinical care.

Click the banner below to read the recent CDW Cybersecurity Research Report.

Why Hospitals Must Focus on Cyber Resilience

The utility of thinking along the lines of a minimum viable hospital becomes clear when considering today’s healthcare environment:

Reliance on technology is absolute. Despite the continued focus on training practitioners using paper-based forms, manual workflows cannot sustain modern healthcare operations. The MVH mindset recognizes that hospitals must prioritize rapid recovery of a subset of applications rather than place faith in paper-based contingencies.
Coordination determines recovery speed. Recovery from cyberattacks requires cross-functional collaboration. Clarity on priorities ensures cross-functional teams work from a unified recovery blueprint, reducing friction and accelerating restoration.
Question Immutability Claims. Because attackers almost always target backup systems (and succeed all too frequently), it’s important to validate whether a healthcare organization has secure, verifiable restoration processes. Today, many healthcare organizations do not.
Prioritization is the difference between disruption and destruction. The MVH model’s structured triage ensures that the most critical applications (those safeguarding patient care and core operations) are restored first — preferably, within a specified period — while operating with constrained resources.

How to Build a Minimum Viable Hospital

Through the process of defining and prioritizing the barest subset of applications necessary to operate for a period of three to five weeks, healthcare leaders help the organization understand what to expect and focus preparation on making key decisions now that will minimize impacts during an attack. Core actions should include:

Identifying the specific applications, systems and connected devices that are indispensable to patient care. Map their dependencies to establish a logical, tiered recovery sequence that prioritizes lifesaving operations.
Adopting zero-trust data security principles that assume a breach will happen and limit access to data and systems. Deploy truly immutable backups and ensure they’re available to restore in an isolated recovery environment (IRE), and that organizations have the tools to do it without spreading malware into their IRE.
Establishing low-tech, out-of-band crisis communication channels capable of functioning without network connectivity. These channels should connect clinical, security, IT and executive teams for rapid, coordinated decision-making.
Conducting regular tabletop drills and simulated cyberattacks that involve all operational stakeholders, including external partners such as insurers and vendors. Use these sessions to validate assumptions, identify gaps, white-list key vendors and refine processes.

DISCOVER: Why is a good cyber resilience strategy essential to business success?

Breaking the Attack Cycle to Protect Patients

In healthcare, every second counts, and every system, data set and process that supports clinical decisions, treatment plans and operational flow can directly impact patient outcomes. Paying a ransom invites repeat attacks. By preparing a well-defined, minimal set of prioritized applications and an isolated recovery environment in which to run them, healthcare organizations can move beyond reactive measures and paying ransoms to building true resilience. Organizations that know they can bounce back won’t need to pay ransoms, and when they stop paying ransoms, the attacks will cease.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of Rubrik. This article is for informational purposes only and does not constitute business or legal advice. Organizations should consult with legal and compliance professionals to ensure their cybersecurity strategies meet all applicable federal, state and international requirements.

Sean Anthony Eddy/Getty Images