The following is a guest article by Jamie Singer, Senior Managing Director at FTI Consulting, and Rebecca Ayer Pitt, Managing Director at FTI Consulting
The Healthcare Industry is Facing a Cybersecurity Crisis
Flashback to early 2020…
The healthcare industry enjoyed a brief respite from certain cybersecurity threat actors who vowed not to target healthcare organizations providing life-saving services amidst a global pandemic.
Fast forward to 2024…
The healthcare sector today is facing a cybersecurity crisis. Threat actors are disrupting care for vulnerable patients at children’s hospitals, interrupting critical blood supplies, and halting payments to providers.
The numbers are staggering:
- The healthcare sector reported 249 ransomware attacks to the FBI last year, more than any other sector
- In the last six months alone, U.S. healthcare providers have faced a staggering 121 ransomware attacks from 10 distinct groups
- Since 2019, the United States Department of Health and Human Services has reported a 278% increase in ransomware attacks on healthcare providers, clearinghouses, and insurance companies
The Impacts of Extended Downtime Can be Severe
The real-world consequences of cyberattacks for healthcare organizations can be devastating. Ransomware attacks can bring prolonged operational disruption, as it often takes weeks, sometimes months, to recover. For healthcare providers, a ransomware attack often leads the organization to disconnect from vendor systems – or vice versa – resulting in an inability to access electronic health records systems and other critical systems, forcing hospitals into downtime procedures. And while hospital personnel are trained in using these procedures for short periods of time, that training often does not include extended use of downtime procedures over weeks, let alone months.
Extended downtime creates additional pressure on healthcare workers who feel increasingly beleaguered from the pandemic and ongoing staffing shortages. The collective force of these impacts can even mean the difference between life and death. According to one study from the University of Minnesota’s School of Public Health, roughly three in 100 hospitalized Medicare patients will die in the hospital under normal conditions, but during a ransomware attack, that number increases to four out of 100 because of the strain on hospital resources.
Hospital Leaders Recognize the Reputational, Financial, and Legal Risks of Cyberattacks
In addition to the operational impacts, cyberattacks bring significant financial, legal, and reputational risks to healthcare organizations. Research shows cybersecurity events are a top-of-mind issue for executives. According to FTI Consulting’s inaugural Hospital Operations Outlook Survey report, Hospitals In 2024: Rising to Meet Increased Operational Demands, half of hospital executives surveyed pointed to data loss or compromise as their biggest concern stemming from cyberattacks, followed by continuity of care (28%), financial costs (28%), and reputational risk (22%).
But there are Clear Gaps in Preparedness
Despite these recognized risks, according to the same survey, more than half of respondents (55%) admit they are not very prepared for a cyberattack.
When it comes to cybersecurity preparedness, baseline efforts today include implementing best-practice technical controls such as multi-factor authentication and having a technical incident response plan in place. But for healthcare organizations operating in this heightened risk environment and facing potentially devastating consequences in the wake of a cyberattack, they need to take their preparedness to the next level.
Recommended Action Items
Enhance Downtime Procedure Education and Training
Given the healthcare sector’s increasing reliance on electronic systems including electronic health records, the next generation of clinical leaders likely has received minimal, if any, training in paper charting. However, it is imperative that hospital staff understand and are trained to use downtime procedures for extended periods of time while maintaining continuity of care. Healthcare organizations should consider enhancing and extending downtime procedure training for staff to simulate the realities of working in a healthcare setting during a ransomware attack.
Identify Offline/Backup Communications Vehicles
It is often the case that preferred communications modes are not available while an organization is actively responding to a cyberattack – from email to corporate websites to online patient portals. Healthcare organizations should identify a range of backup communications vehicles that deliver urgent communications and updates to key stakeholders, including patients and employees. Text-based emergency notification systems may be an option, but those require robust and up-to-date contact lists. For external-facing updates, healthcare organizations may also consider setting up an alternative webpage in advance of an incident, which can be “turned on” in the event of a cybersecurity crisis.
Establish Relationships with Third-Party Experts Before a Crisis
In a cybersecurity event, no organization can go it alone. An effective and efficient response requires coordinated action of partners, including external cyber counsel, forensics firms, and crisis communications experts, to name a few. Searching for partners in the midst of a crisis is not ideal. It is important for healthcare organizations to establish relationships with such experts in advance of a cybersecurity event.
Develop and Test Cybersecurity Crisis Communications Protocols
Communications decision-making is heightened and accelerated during cybersecurity events. A well-tested communications plan can meaningfully impact reconnection with vendors, maintenance of stakeholder trust, and mitigation of long-term reputational harm. Such plans should consider the composition of the cybersecurity crisis communications response team; a streamlined communications review and approval process; and a communications protocol for collecting, tracking, and responding to inquiries from customers, partners, patients, employees, media, regulators, and more.
Ensure Effective Communications Flow Amongst CISOs, C-Suite, and Boards
Cybersecurity attacks against healthcare organizations are whole-of-business issues. It is imperative that executive leadership and Boards are well-educated on response protocols, including executive- and Board-level decision-making, ahead of an incident. Similarly, chief information security officers need to be equipped to communicate with their C-suites and Boards throughout a cybersecurity crisis. According to FTI Consulting’s CISO Redefined Survey, CISOs aren’t fully prepared to communicate with leadership and 98% of executives support more funding for CISO communications and presentation training.
While healthcare organizations cannot control if or when a cybersecurity event may occur, they can control their preparedness mindset and investments before the crisis hits. Regaining patient and community trust in the aftermath of a cybersecurity crisis is not a given. Thoughtful advanced planning can help mitigate many operational and reputational risks.
About Jamie Singer
Jamie Singer co-leads FTI Consulting’s Cybersecurity & Data Privacy Communications practice and has provided counsel on half of the top 10 largest healthcare data breaches in 2023. She also co-leads the development of FTI Consulting’s annual CISO Redefined survey.
About Rebecca Ayer Pitt
Rebecca Ayer Pitt, Managing Director, leads FTI Consulting Strategic Communications’ hospitals and health systems advisory solutions and co-leads the firm’s annual U.S. Hospital Operations Outlook Survey.
No comments:
Post a Comment