How to Prevent (and Handle) a Healthcare Cybersecurity Incident

by Patrick Yee on Jul 26, 2019

ensocare-hero-securityCybersecurity is at the very top of the list of non-healthcare topics that healthcare workers, even those in clinical and patient-facing roles, must contend with.

Protecting patient data needs to be the utmost priority for not just IT professionals but everyone in healthcare. Cybersecurity threats are a matter of course in the modern era, forcing health systems to constantly upgrade their software to address potential disruptions as they evolve.

If you talk to a cybersecurity expert, they’ll tell you that an incursion on your facility isn’t a matter of if, but when. Ready to be terrified about the current state of cybersecurity? Read this article from the Verge about the rise of ransomware and malware within the healthcare setting and the woeful unpreparedness of the industry as a whole.

Incursion attempts may be made, and some of them may even succeed. But what I’ve found in my years of working within healthcare IT is how you handle a security incident says just as much about your company as how you prepare for one. Should the worst ever happen to your facility, there are some things I want you to keep in mind to protect your organization, your patients and your reputation.

Understand the Two Distinct Types of Threats

First, I want you to understand the two types of threats you’re likely to encounter in the modern healthcare space:

  1. Inadvertent
  2. Willful

An inadvertent threat is far less sinister than a willful threat but poses no less of a HIPAA violation risk. These are those instances of carelessness within an organization that compromise Patient Protected Health Information (PHI). I’m talking about a staff member talking about patients with persons not responsible for their care, forgetting to log out of a workspace or viewing a patient chart without having a medical need to review that information.

You should establish protocols to address these kinds of issues head-on and administer ongoing training with your team members so such incidents can be avoided.

Then there’s a willful violation, something that everyone needs to be vigilant about but that’s far more insidious in nature. These are those instances of hackers trying to penetrate your firewalls and gain access to patient data or even gain control of some of your systems.

An entire industry has sprung up to prevent these types of willful security threats, and healthcare organizations everywhere need to work diligently to prevent and contain any damage from those who would threaten your critical infrastructure.

This needs to be a priority for healthcare systems, starting with a check of all your software products and solutions to determine whether or not the applications deployed at your organization provide the utmost security.

Also recognize that, despite all your preparations, an incident may still happen. Cybersecurity is somewhat of a thankless job in that, while everything is going well, not many people will take notice. It’s only when things go wrong that everyone turns their attention (and judgement) to cybersecurity. In these instances, you’ll be judged not just by whether you have avoided a security incident, but how you respond when one happens.

And that’s where the following protocols will come in handy.

Create a Plan

Handling a security incident is tough. Your best bet is to take as much of the art out of the process and turn it into more of a science by creating an incident response plan ahead of time. Your plan should include who should be contacted, how they should be contacted and which critical pieces of information are needed to aid in all phases of your response.

Who should be contacted should include any stakeholders that would assemble into an incident response team to both investigate and remedy the threat.

How they should be contacted should include cell phones numbers, email addresses, pager numbers, or any other ways of contacting members of the incident response team as necessary so they may handle the threat as seriously as they need to.

Which information to aid in your investigation may include things like port numbers, URLs, system or network diagrams or other documentation that will aid in the containment of the threat.

React Immediately

Once a potential threat has been detected, have your incident response team go into action immediately. Even if it’s only a suspected cybersecurity incursion, you’re better off being safe than sorry. Your action team should always be ready to respond to potential incidents, and they must investigate at once.

In doing, you can isolate and contain the damage of the cybersecurity threat quickly. Imagine someone at your organization opens an email with a nasty piece of malware on it that infects their computer. If your IT team neutralizes the threat early, they are in prime position to alert the rest of the organization to the incoming Spam and effectively contain any lasting damage. If, however, too much time is spent debating the proper course of action and whether or not alerting staff is the right move, it could be too late and the malware can spread quickly.

It’s imperative to instill a sense of vigilance within every member of your healthcare team, asking them to report anything they even suspect could pose a problem so you can react right away when needed.

Cybersecurity at WorkCommunicate Openly and Honestly

Communication of the threat begins internally. If an incursion has affected one device, application or system, it’s possible this could be the beginning of a coordinated attack at an organizational level.

It’s therefore important to be honest yet not alarmist about what’s happening. Your incident response plan should include communicating the incursion to the entirety of the organization and a means of getting information out quickly and efficiently. Management and executives should be the first to be briefed about the incident, and the information must quickly filter down to any and all end-users who could encounter the danger.

Once internal audiences are briefed, consideration must be given to making the incident known to the general public. This is where hospitals can get in trouble if they’re not careful. If a cybersecurity incident is contained without PHI exposed or critical systems compromised, there’s no need to issue in-depth analysis beyond regulatory filings, especially to your local community. In fact, you’re likely to engender unnecessary fear by doing so.

If, however, there’s even a slim possibility that PHI was compromised, be it held for ransom or distributed to parties unknown, then you’re entering dangerous legal territory if you’re not fully compliant with the government’s transparency regulations or if you’re not open with the public about what happened.

This is a matter of reputation as well as long-term business viability. You must be open and honest with the public about a security incident when it happens, and you can’t shy away from hard truths. If mistakes were made, you need to be willing to speak to a plan you’re putting in place to ensure it never happens again, and you have to own up to what happened in the first place.

Learn from an Incident to Help Plan for the Future

Once the threat is contained, your next step is to do a deep dive with all affected parties and figure out what you need to neutralize this and any other threats in the future.

Convene a retrospective session with your key stakeholders and carefully analyze what happened. Take into account every choice that brought you to the current predicament. If a user error compromised your security, figure out the training you need to put in place to eliminate that risk in the future. If it was a firewall issue, work with your IT teams to determine how to increase security for the future.

Your next step will be determining whether or not it’s time to move on to a brand new software or application vendor, one that doesn’t suffer from the same security flaws as the system that led you to this juncture. As you work with third parties, don’t be afraid to ask questions about their cybersecurity infrastructure. Bring your IT teams in to conduct an evaluation and be willing to check up on their credentials and their work with other clients to verify they’re the right fit for you. Better yet, ask them how they’d respond if your facility or their own company ever experienced a cybersecurity threat.

Your final move is to update your incident response plan with everything you learned from the event, including what information was needed sooner, what you can do to avoid this issue in the future and what additional tools and resources you need to ensure the same type of incident does not happen again. You should also create a follow-up report and schedule for a future date to ensure any items learned during an incident have been acted on.

Security is too important to take chances. You need confidence that the systems you rely on for your healthcare organization won’t put your entire business at risk. Interoperability and cybersecurity go hand in hand, and the last step in your handling of a cybersecurity incident must be acquiring software and hardware that meet those two critical needs.

Read More of the Latest Healthcare Insights

Meet the Author

Patrick has ownership of product development, product services and product operations for Ensocare. He joined Ensocare in 2011 as Vice President, Software Architecture and was promoted to CTO in 2013. He previously led software development teams in the San Francisco Bay and Seattle areas. Patrick received his Bachelor of Science degree in Computer Science from the University of Chicago. He is a certified Scrum Master, a certified Health Insurance Portability and Accountability Act (HIPAA) Professional, and also a certified Security Compliance Specialist.