Hospitals are, understandably, home to extremely sensitive information, as well as top of the line technology in order to improve patient care. For example, many hospitals are upgrading their legacy infrastructure to adopt an integrated electronic health record (EHR) system in order to gain faster access to customer data that could very well save patients’ lives. As healthcare organizations embrace a more digital, Internet-connected approach to patient care, it’s critical that they implement the right tools, technologies and best practices in order to sufficiently protect their underlying networks, which can become more vulnerable to cybersecurity attacks as a result.
Consider the detrimental effects of suffering a cyber attack, as was the case almost a year ago at Boston’s Children’s Hospital (BCH). The hospital experienced a series of distributed denial of service (DDoS) attacks—an attack that denies the victim access to their system, which is hard to track as they originate from many different sources.
For BCH, a cyber security attack was a frightening thought that became reality. The attackers first leaked BCH’s IP address and Web server information. While Dr. Daniel Nigrin, SVP and CIO at BCH suggested that the leaked information was not all that sensitive, the news caught the hospital’s attention, which then prompted the attackers to start sending out a larger volume of DDoS attacks. BCH implemented appropriate network changes in order to divert the hackers; however, the organization was only further met with more advanced attacks, which had adapted to its new strategies.
Although BCH’s IT staff worked with its “general incident response team,” according to reports, the organization remained vulnerable; patient, operational and other various data remained compromised and vulnerable. As a result, BCH employed the help of a third-party security solutions provider to help defend against the attacks.
While this is a single example of what can go wrong from a cyber security standpoint, on the whole, the majority of healthcare organizations have suffered from an attack. In fact, 81 percent of healthcare executives said their organizations have been compromised by an attack over the past two years according to audit, tax, and advisory firm KPMG.
According to KPMG, 13 percent of these executives tracked more than 350 cyber threat attempts in a single month, clearly revealing that organizations do not understand, track, report, or manage threats effectively.
What could have assisted BCH in better responding to these strikes is a robust incident response strategy, which includes the proper people, processes, and technology. Cyber security is not just having the mechanisms in place to detect and thwart cyber attacks, it also should include a plan for when things inevitably go wrong. Organizations should consider the impact that these breaches will have on their customers, internal systems and public image when developing a strategy. Each of these areas will have different stakeholders depending on impact and exposure.
Incident response does not exist in a bubble; many arms of your organization will be affected. Consider proprietary, customer, and employee data and other sensitive information as well as the availability of revenue-generating systems. Organizations need to ensure that their incident response plan includes notification to management when to bring in public relations, the legal ramifications of a breach and legal disclosure requirements. Organizations also need to consider the effects on human resources as well as how employees should communicate to the press if approached. While we discuss incident response in the context of technical cyber security, incident response as a corporate program is much more than IT; it is executive management, PR/marketing, legal, HR, and customer service.