Gerry Blass, President & CEO, ComplyAssistant
ComplyAssistant President and CEO Gerry Blass recently sat down with Healthcare IT Today Editor and Founder John Lynn to discuss “The Impact of Ransomware on Healthcare Disaster Recovery and Business Continuity and Practical Steps to Improve.” Throughout the conversation, Blass shared his expert advice on why all organizations need a Disaster Recovery Business Continuity (DRBC) plan and offered useful tips for mitigating risks within your organization.
Uptick in Risk in the Healthcare Industry
Blass and Lynn kicked off the conversation discussing the evolution of risk as seen in the healthcare industry today. Blass explained that the establishment of the Affordable Care Act (ACA) in 2010 brought with it a big wave of migration to electronic medical records (EMR) for patient health information (PHI). This alone caused an uptick in vulnerabilities for ransomware attacks, which unfortunately hasn’t slowed down since. Over the past 10 plus years, especially with the nuances of working from home and telehealth, systems have gone from experiencing attacks that would have them down at a minimum of three days to up to 30 days of downtime. The implications of these attacks from a financial and patient quality of life perspective can be devastating.
Creating a DRBC Plan
Blass recommends that the first step to preparing your organization for such vulnerabilities is asking yourself what happens after the 72-hour mark? The list of repercussions can be huge, including revenue loss, inability to process claims, need to divert patients, and loss of equipment function, to name a few. It is important that IT leaders take an honest assessment of their current plan and talk about these outcomes. Blass advises pulling in staff members from various departments (IT, nursing, finance, etc.) to weigh in and create a holistic approach. If you don’t have a DRBC plan in place, there’s no time like the present!
Handling an Attack’s Ransom
Once a plan and team are in place, Blass talks about the importance of deciding whether or not you need to pay the ransom. Blass explains that many attackers today are looking for Bitcoin, usually in the ballpark of $500,000 or more. Many hospitals are only able to make payments of $20,000 a day, so from that perspective, you’re looking at 25 days until the ransom is paid in full. In some cases, countries are listed on what is called an Office of Foreign Assets Control (OFAC) list, meaning they aren’t legally permitted to pay the ransom at all. If you are unable to pay the ransom, it is important to have a hot site or backup in place, especially if your EMR is on-premises and not cloud-based. At the end of the day, companies will either pay the ransom or they will not.
Guidance for Decreasing and Combating Threats
Having an expert source to confide in before or after an emergency occurs is a great way to decrease the long-term effects that the hackers have on your organization. Blass recommends looking to the Department of Health and Human Services (HHS) framework Health Industry Cybersecurity Practices (HICP) for guidance in determining what threats are most likely to occur and how to combat them. He also recommends making sure your DRBC plan is set for 30-45 days and is evaluated on a monthly (or more) basis by your organization’s emergency preparedness team. To listen to the full interview and learn more about securing your company’s DRBC plan, visit here.