Gerry Blass, President & CEO, ComplyAssistant
Best Practices for Implementing a DRBC Plan
An article released by Gartner in July 2021 reported that by the year 2025, cyberattackers will have weaponized operational technology (OT) environments to successfully harm or kill humans. OT attacks, also known as attacks on hardware and software that monitors or controls equipment, assets, and processes, are on the rise. Consider the spring 2021 ransomware attack on the Colonial Pipeline, for example. Effects were felt up and down the East Coast, resulting in a payout of $4.4 million and damage to hospitals, emergency medical services, and law enforcement agencies.
Colonial is one of many victims of ransomware attacks in recent months, adding insult to injury for an industry that has worked tirelessly to stay afloat amid the volatility brought on by COVID-19. The headlines and insights from experts all convey the same message—no one is safe. It’s not a matter of if but when your organization could fall victim to an attack, and now is the time to prepare for the worst.
This article aims to arm organization leaders from rural hospitals to multi-entity systems with practical skills and applications to mitigate the ongoing issues posed by cybersecurity threats.
Disaster Recovery and Business Continuity (DRBC): Then Versus Now
Prior to establishing a plan to mitigate cybersecurity attack, it is important to understand the change in landscape that organizations have experienced regarding Disaster Recovery and Business Continuity. A traditional DRBC plan includes two phases:
- Disaster Recovery (DR): An organization’s IT department guides recovery from a natural or manufactured disaster. This can include server and network restoration, copying backup data, and provisioning backup systems.
- Business Continuity (BC): The business operations side of DRBC can include staff replacement, service availability issues, business impact analysis, and change management.
Ten years ago, DRBC plans based on the National Institute of Standards and Technology (NIST) included strategies to deal with the business repercussions of up to 72 hours of downtime. At the time, it was a reasonable assumption that a company would be down for three days following an attack. Today? Even more.
Ransomware attacks have extended potential downtime well beyond 72 hours, up to 30 days or more. That is why companies must thoroughly reevaluate their DRBC plans to consider the extended downtime. Further, the organization is not the only party affected by impacts on information technology—patients are affected as well.
Best Practices for Implementing a DRBC Plan
Now that you know the importance of implementing a DRBC plan and are aware of the common threats facing health care organizations, it is time to establish the framework for your organization. Each step represents an important milestone in your organization’s ability to assess the risk level and determine the proper tools and people to fight back accordingly.
Step One: Know What to Look For
The range of potential risks and opportunity for breaches has certainly widened in recent years. According to a study3 sponsored by Boston-based health data security company Censinet, 61 percent of health care providers are not confident in their ability to combat ransomware, which is up 6 percentage points from pre-COVID-19. Familiarizing yourself and your team with the appropriate knowledge is step one in bolstering your organization’s security. Knowing the threats as outlined by the 405(d) Task Force in HICP is a good place to start. From there, you can identify the red flags and areas of vulnerability that need to be addressed.
Step Two: Establish the Proper Team
You know the old saying that “Rome wasn’t built in a day?” The same is true for your organization’s DRBC plan—it takes time. Prior to crafting the plan, it is essential to have the right group of stakeholders at the table. Note that this will vary based on organization size and specialty of various roles. Some organizations dedicate entire departments to certain areas, while others assign individuals who wear multiple hats. Best practice is to include representatives from the following areas to build a strong DRBC task force:
- Information Technology (IT)
- Providers (Physician/Nurse/Clinical)
- Human Resources (HR)
Gone are the days when the IT staff handled everything related to security. The goal of reducing cybersecurity issues is a team endeavor that requires participation by all stakeholders. Depending on the size of your organization, these meetings could take place on a monthly, bi-monthly, or more/less frequent basis. Identify the best practices for your group and ensure consistency.
Step Three: Assess Risk Level
Once you identify the potential risks and assemble your team, the next step is a thorough assessment of risk levels ranked on a scale of low, medium, and high. Again, the size of your organization and the number of business associates (BAs) in your repertoire are factors to consider when determining the risk level.
Many attacks today are attributed to a large number of BAs or third-party vendors that have access to protected health information (PHI), which directly impacts patient data safety and continuity of care. A holistic evaluation of potential threats within your organization helps to pinpoint the risks and root causes at a granular level.
Partnering with a vendor that specializes in governance, risk, and compliance (GRC) is an effective way to proactively assess your risk. In the example shown in Figure 1, the GRC company is able to provide the organization with essential information, including the name of risk, type of risk, location, stage, likelihood, and impact. Likelihood of an incident and impact to the organization are crucial elements to determining the best course of action.
Step Four: Identify Preventative Controls
Measures taken to reduce the effects of system disruptions not only increase system availability but also play a role in significantly reducing contingency life cycle costs. In the Technical Volumes of the HHS Health Industry Cybersecurity Practices: Mitigating Threat and Protecting Patients (HICP) document, the 405(d) Task Force outlines 10 practices tailored to small, medium, and large organizations. These include:
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cybersecurity Policies
No control can fully eliminate the possibility of experiencing a cyberattack. However, careful application and adherence to the controls can reduce the likelihood of devastation and extended downtime. Education is an essential piece in the cybersecurity equation because it keeps the dialogue open and holds the entire team—not just your IT department—
accountable to prevent risk.
Don’t Wait to Start: Be Cybersmart
In an article titled “Why Healthcare Organizations Can’t Afford a Data Breach Caused by Human Error,” Co-Founder and CEO of UK-based Tessian, Tim Sadler, assesses the issue of cybersecurity in a powerful statement: “Businesses are digitally transforming, and ways of working are changing, but one thing remains the same—people are in control of the data and systems. Training cannot be a one-size-fitsall, tick-box exercise. It has to be contextual and relevant if it’s ever going to resonate with employees and enforce long-lasting behavioral change.”
Sadler’s words eloquently and pointedly remind us that the real threat to our nation’s cybersecurity landscape involves the people who live and work in this environment every day. Our decision-making and well-being are on the line, so it is ultimately up to us to stay alert and follow the guidelines set in place. Emphasis on proper training, education, and appropriate use of technology are vital. A better world online begins today.
The U.S. Department of Health and Human Services (HHS) convened the 405(d) Task Group, made up of 150 members across the health care and IT industries, to develop a guide for fighting the most pressing cybersecurity issues of our day. This document, known as Health Industry Cybersecurity Practices: Mitigating Threat and Protecting Patients (HICP), covers five current threats identified in health care:
- Email Phishing Attacks
- Ransomware Attacks
- Loss or Theft of Equipment or Data
- Internal, Accidental, or Intentional Data Loss
- Attacks Against Connected Medical Devices—May Affect Patient Safety
- www.gartner.com/en/newsroom/pressreleases/ 2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we.
To view the original Journal of Health Care Compliance article, Click Here.