In part two of this blog series, we’ll assess your response following a cyberattack on your healthcare organization. We’ll look at what it means from a technological standpoint, as well as from a stakeholder standpoint, and try to chart the best course of action. Catch up on part 1 of the series here.
Healthcare cyberattacks are becoming alarmingly more common each year. In fact, in 2020 more than 1 million people, almost every month were affected by data breaches at healthcare organizations. The pandemic saw the number of attacks soar, as hackers targeted busy hospital facilities.
With the threat of an attack so high, for many healthcare organizations, it’s a matter of when not if. That’s why we’ve teamed up with Lambert & Co to help us make this blog series as useful as possible. As experts in communication, Lambert & Co is well placed to advise on the topic of crisis management during cyberattacks, adding to our own experience in technology solutions for healthcare.
Responding to a Healthcare Cyberattack
When a healthcare cyberattack occurs, you’ll encounter problems across your entire organization. To understand your priorities during this time it’s best to separate the issues into:
Technology and IT – the virus/breach itself and any repercussions this has had on your network security, or your data storage.
Communications – how you intend to inform stakeholders and the public of the breach, and the processes your staff follow to reduce damage.
By dealing with issues in these two categories, you are responding to the most important issues first. This is almost always going to mean prioritizing IT issues, as that’s the point of contact. There will likely be other repercussions too, but you’re initially going to want to focus on identifying the threat and preventing excessive damage.
Technology and IT
Understanding the Type of Attack
The first signs of an attack will most likely come from your security software. The IT department will be notified of an issue automatically, which they will then investigate to determine what has happened and what should be done to prevent any further damage.
There are several different kinds of data breaches. Here’s what they tend to look like:
Ransomware – ransomware attacks hold your data and network captive until a fee is paid. This usually means that you can’t access any data, or even any computers until you have paid a ransom. These kinds of attacks are common for healthcare organizations and other larger companies.
Malware – a little less strategic than ransomware, malware is simply a program that damages your system by infecting it with a virus. It is often circulated via links on unsecured web pages and spam emails. While this might not directly affect patient data, it could damage or delete it, so continue to follow your data breach protocol.
Phishing – phishing is carried out by websites and emails that have been designed to look like a genuine service provider, asking for personal details to help with a fictitious problem.
Leaks – a disgruntled ex-employee or a misplaced laptop could cause data to be leaked publicly. This is less of a cyberattack, but still involves a breach of private information and should be treated similarly.
Password attack – password attacks use specialist software to run millions of password “guesses” on your organization’s password-secured software until it chooses the correct password.
Taking the correct action
Once your IT department has identified the kind of attack that has taken place, they will also determine where it originated. Perhaps it was a link clicked by an employee accidentally or a targeted attack. If the problem is localized to one machine, they should detach it from the internet and any network it is part of to isolate the problem. All passwords should then be changed and existing users on old passwords logged out.
Then it’s time to determine the severity of the attack. Some attacks might not breach your stakeholders’ data, they may simply cause a computer to malfunction or run more slowly. If data has been damaged, stolen or deleted by the attack, you will need to start thinking about how you are going to communicate this to stakeholders.
Your team should work to identify which stakeholders have been affected by the breach and surface their information ready for the communications team to inform them of the attack, and how it will affect them.
Once you’ve minimized the damage and can be sure that the threat has been dealt with, i.e. the offending software or machine is no longer active on your network, it’s time to deal with the implications the attack might have had on your organization and its stakeholders.
HIPAA requires notification of the breach “without unreasonable delay”. You should have a pre-made breach notification template ready to use so that you can give breach notification as soon as possible. If your breach notification takes too long, you will need to provide evidence for reasonable delay. If it takes more than 60 days, you will be in breach of the privacy rule.
In the previous blog in this series, we put forward a strategy for creating a crisis communication plan in the wake of cyberattacks. Now we’ll look at how that plan plays out when a breach occurs.
Preparation – Prepare to inform your stakeholders about the breach. Find out who has been affected and what data has been compromised. You should also inform the Internet Crime Complaint Center of the crime so they can carry out any necessary investigations.
As discussed in our crisis communication plan blog, you should have public announcement templates ready, as well as stakeholder outreach templates for those that have been affected directly.
Informing stakeholders – Reach out to those directly affected on an individual basis, as well as making a public announcement informing the public that there has been a data breach.
Try to be as transparent as possible, giving details on the scale of the attack and how many stakeholders have been affected. Also, include what you are doing to combat the issue and reassure that those affected will be contacted privately.
Notification laws vary by state, please be informed on what you are legally bound to do in your state.
Review and practice
While the review process happens after the attack, in response to your organization’s reaction, it should already be an ongoing process to practice and review your crisis communication plan and continually improve it.
Preparation is a key component in the success of your cybersecurity strategy, but it’s also important to learn from any issues you encounter in the plan.
Review the process you followed and make amendments where necessary. Perhaps there was an issue sourcing contact details, or team members weren’t sure what to do – make note of these issues and correct them in your plan to ensure they don’t happen again.
And remember to keep practicing. As new employees join your organization, you’ll need to make sure they’re up to date with your plan. Introduce monthly drills and training sessions to keep everyone informed and prepared.
Looking for more help with your cybersecurity plan?
Having a robust and well-rehearsed cybersecurity plan and IT setup is crucial for modern healthcare organizations. These attacks can be brutal, they deliver a huge blow to finances, reputations, and stakeholder trust.
However, they also damage the organization’s ability to deliver optimal care to patients. If data records are lost or damaged, it could affect vital health information, such as a patient’s prescription records or past treatments. This affects the overall care of the patient and should not be overlooked.
With the right plan and good execution, you can prevent disaster and start to rebuild from day one of the breach.
Get in touch with Lambert & Co for more help building a crisis communication plan, as well as a dedicated crisis response training for your team. Or contact us at Worksighted to work with our cybersecurity specialists in setting up a robust safety net that can protect against healthcare cyberattacks today.