Ransomware attacks pose a serious risk to hospitals nationwide and the latest data suggests the problem is getting worse by the day. According to cybersecurity firm Sophos, the number of ransomware attacks on healthcare organizations increased 94% from 2021 to 2022.
The federal government recently corroborated this concerning a warning statement issued by the FBI, the Treasury Department and the Cybersecurity and Infrastructure Security Agency (CISA). The agencies noted that North Korean hackers have been using a strain of ransomware called “Maui” to attack U.S. hospitals since mid-2021. It’s believed that these hackers are raising money for the North Korean government by charging ransom payments to unlock the health systems’ critical IT systems.
Regardless of the perpetrator or their motive, healthcare organizations everywhere are working to minimize their vulnerability to hackers. Then again, Hurricane Ian offers a timely reminder that not all unplanned downtime events are the result of criminal activity.
Either way, the outcome is the same. Whenever critical healthcare information systems are compromised, patient safety is jeopardized, the quality of care suffers and organizational efficiency plummets. The question is, what can be done about it?
This blog will examine three approaches to mitigating the risk of unplanned downtime in a healthcare environment. Presented in a good/better/best sequence, we will examine the relative pros and cons of each approach.
#1: Stockpiling pre-printed clinical forms
An immediate concern whenever a hospital’s IT network is interrupted is the loss of access to clinical forms. Without them, something as simple as prescribing a medication or discharging a patient requires an error-prone workaround. These risks are compounded when medical procedures requiring informed consent are involved.
A common approach to this risk is to pre-print vital clinical forms –including those that otherwise exist only in digital form –and place them in storage to await an unplanned downtime event. While certainly better than nothing, this strategy is fraught with problems.
- Clinical forms are constantly changing. Pre-printing and placing clinical forms in storage essentially guarantees that outdated forms will be used in the event of a downtime emergency.
- Stockpiling pre-printed documents, especially those prone to frequent obsolescence, is enormously wasteful. A hospital system will likely need to discard entire pallets full of paper documents as the pre-printed forms become too outdated to use.
- Converting a digital form to a stockpiled paper equivalent contradicts the intent behind the Meaningful Use of electronic health records (EHRs). While it may be necessary to use a paper facsimile of a form during a downtime crisis, it would be best to start with the most current (i.e., digital) version of that form.
#2: Employee training
Employee training can substantially reduce a healthcare system’s vulnerability to ransomware and malware attacks. The cybersecurity awareness experts at KnowBe4 released a Phishing by Industry Benchmarking Report as a way of measuring an organization’s risk of succumbing to a phishing or social engineering scam.
A recent Wall Street Journal article provides another example. Children’s National Hospital in Washington, D.C., has trained its employees to respond quickly to any abnormal IT activity. If a nurse, doctor or other staff member observes a failing system or suspicious message of some sort, they are to contact hospital security staff immediately. A “code dark”is then called, alerting employees to disconnect every digital device within reach. Doing so creates another perimeter of defense and can quarantine malware before it spreads systemwide.
While such training is necessary, it is not sufficient as a strategy against unplanned downtime.Even the best-trained employee can be fooled by a phishing scam, and even an immediate response to a “code dark” cannot undue malware damage already done. Here again, another layer of defense is needed –one that ensures that up-to-date versions of clinical forms are continuously available no matter what.
A cybersecurity advisory titled Ransomware Activity Targeting the Healthcare and Public Health Sector was jointly published by CISA, the FBI and the Department of Health and Human Services (HHS). As noted in an earlier blog post, backup strategies were cited as a key defense against hospital ransomware attacks.
Specifically, healthcare organizations were encouraged to adopt a 3-2-1 approach to backups. That is, save three or more copies of all critical data in at least two different formats with one copy stored entirely offline, inaccessible to cybercriminals.
Such backup strategies are the most powerful defense currently available to healthcare organizations. However, backups are best viewed as complementary to the other two approaches noted above. It may be helpful to think of them as concentric circles rather than independent options:
- Level 1–Engage health information technology (HIT) professionals to develop a 3-2-1 backup strategy such as that outlined by CISA, the FBI and HHS.
- Level 2–Train all hospital staff members to recognize phishing and social engineering scams on sight and to alert hospital security immediately so a “code dark” protocol,such as that created by Children’s National Hospital, can be implemented.
- Level 3–Ensure that hospital staff members have instant,uninterruptible access to key clinical forms in the event of a downtime event–regardless of cause. Doing so is an example of a3-2-1 backup strategy in action.
DowntimeDoc™: A Proprietary Strategy for Unplanned Downtime
DowntimeDoc, available only from Taylor Healthcare, is a complementary backup strategy for unplanned downtime periods like those resulting from a ransomware attack. With DowntimeDoc, a hospital or clinic can maintain normal operations without sacrificing efficiency or the quality of patient care –regardless of the status of its network or the type of malware used.
- Registrars can search patient records and print admissions packets while the admission, discharge and transfer (ADT) system is down.
- Nurses can print forms, labels and wristbands complete with patient demographics and barcodes.
- Physicians can access condition-specific protocols and continue to provide the same level of care as if the network was still live.
Best of all, DowntimeDoc makes the stockpiling approach –and all of the drawbacks that come with it –entirely unnecessary. DowntimeDoc is software designed to quietly reside within individual computer workstations and “wait” in the background until needed. If a downtime event occurs, hospital staff simply access the most up-to-date versions of the clinical forms and documents they need to sustain operations.
See how DowntimeDoc is mitigating the risk of unplanned downtime events for healthcare systems nationwide. Contact your Taylor Healthcare representative to learn more.