An Alert on Cyber Risk for Health Providers: No One is Safe

Health care providers are facing new threats from online attacks that require new strategies to limit liability, harm to patients, and revenue loss. In spring of 2023, the Academic Medical Center Patient Safety Organization, or AMC PSO, released an update to its cyber-security guidance from 2016. New guidance was necessary, says guideline participant Dr. Yvonne Cheung, because the nature of attacks has changed. Today’s risk has moved well beyond EHR down time to near-existential threat to an institution, and good preparation assumes security will be breached.

“There is, of course now, much more heightened awareness because there have quite honestly been many more instances of threats coming from outside an organization or an institution, mainly ransomware and hackers breaking into access-protected health information and disrupting patient care as a result.”

Dr. Cheung is Associate Chief Medical Officer and Vice President of Quality and Safety at Newton-Wellesley Hospital, in Newton, Mass. She helped craft the AMC PSO patient safety alert for cybersecurity and recovery. Experts say every provider faces some basic risks and some institutions have even been targeted by foreign entities. The problem has led HHS, the federal Health and Human Services Department, to issue guidance and warn about increasing cyber crimes that threaten health care institutions. HHS has noted that health care has had the highest average cost of a data breach for 11 years in a row, rising from $7.13 million in 2020 to $9.23 million in 2021. In the Harvard medical system, concern has led CRICO to schedule a webinar in June 2023 with Dr. Cheung and CRICO Chief Information Security Officer and Director of IT, John Fanara. 

“Ransomware is the top area that people are concerned about and focused on, because it is the most impactful. You could also have a denial of service that could bring down a lot of systems, as well. So those are kind of the top two that people are worried about. But the difference here is that health care is being actively targeted daily, unfortunately, from all kinds of nation states and others, so they are being targeted actively and they’re constantly fighting that off and trying to prevent these things. And the consequences, like I said, are dire, right, because it could affect care and also potential loss of life.”

Fanara notes that the scope of concern can range from inability to get a cancer protocol during an individual patient visit, to the loss of revenues from hundreds of cancelled procedures. Real-world stories from HHS include an Indiana hospital that was forced to go on a diversion after a ransomware attack, and took months and millions of dollars to fully recover. In the new patient safety alert, these new threats are central to cyber security for hospitals.

“What we’re doing now, and what we’re really looking at, is if it's a much larger system unavailability. So if there is a large-scale event, such as a cybersecurity event, most likely ransomware, where you have all of your systems unavailable or a high percentage of critical systems unavailable, and how are you going to respond to that? How are you going to communicate that, how are you going to respond to it? So we go through the steps of how that would work for clinicians and the technical folks to work through that.”

The document features ways to analyze clinical and business risks and develop security response plans. It promotes multi-department drills called Table Top exercises, and close collaboration between IT and clinical professionals. Dr. Cheung:

“At a very high level, in the patient safety alert itself, you’ll see that we've broken the risks down, risk and risk mitigation strategies into the four buckets. Preparing for the cybersecurity threat, recognizing that, in fact, whoever it is, from the outside has gained access, and activating the response and initiating downtime procedures, the communication considerations, and then recovery.”

During a crisis, as IT turns things off and back on, the doctors and nurses need to coordinate availability of specific systems to the care they are providing in real-time. Fanara says there can be a disconnect between the two sides.

“The technical side is looking very specifically at the systems, the backups of those systems, the integration points, how they can bring them back up, what order they have to bring them back up, so on and so forth. But on the clinical side, they need to be informed about what that process looks like, they need to understand how that’s going to happen. So there needs to be solid communication there because they could be working on a system that becomes unavailable, so then they’d stop working on it, and then the second it comes back and it’s available, they may start working on it again, but it may not be ready. So there’s a communication there that seems to be lacking, that we need to kind of tighten up a bit.”

In some ways the focus on prevention has moved on from preventing every breach to recognizing that breaches will occur and reducing harm from an attack. Many attacks come through simple e-mail to staff and security plans will always need to include drills for stopping intrusions. All staff must be involved. But Dr. Cheung says her experience working on this project helped her see the inevitability of a breach, and the need to thoroughly plan for it.

“As an operational leader and a clinical leader, I had thought of things differently, because, really my thinking kind of flipped. I used to think that an organization should spend most of its resources and energy and effort thinking about preparing. But in fact, it would be hubris to think that it can’t affect my organization, and we have to all plan for this knowing that our systems are not going to be 100 percent effective at preventing every single threat.”

Yet every single threat, Dr. Cheung says, is important, especially if it disrupts or delays good clinical care. 

The AMC PSO Patient Safety Alert is available on the CRICO website, at www.rmf.harvard.edu/cyberalert. More information on the June 21 webinar, called “Cyber Security and Recovery,” can also be found online, at www.rmf.harvard.edu/cyberwebinar.

I’m Tom Augello for Safety Net.