By Tamara Nolan, Senior Director, Cyber & Operational Resilience
The healthcare industry is a prime target for cyberattacks, facing a significant number of security breaches. Healthcare organizations hold a wealth of sensitive data and provide critical services, making them an attractive target for cyberattacks. A prime example is the rise of ransomware attacks targeting healthcare organizations’ critical databases and tools. These attacks have caused severe disruptions, halting elective care until recovery is complete.
To ensure the continuity of operations and the ability to provide care to patients, healthcare organizations must prioritize cyber and operational resilience.
Inside the Healthcare Threat Landscape
Healthcare organizations face various significant cybersecurity threats. Some of the main types of threats that healthcare providers need to protect against include theft of the following:
- Protected Health Information (PHI): This refers to sensitive patient data
- Intellectual Property: This includes competitively sensitive information, investment strategies, business plans, merger & acquisition plans, and research data
- Personally Identifiable Information (PII): This refers to employee and payroll data
In addition, there is significant risk related to:
- Disruption of Services: This includes critical infrastructure disruption, disruption of distribution channels, long-term technology/electronic healthcare record (EHR) outages
- Third-Party Compromise: This refers to the compromise of regulators, service providers, IT/OT suppliers
Cyber and Operational Resilience (CORe)
Operational resilience encompasses the entire timeline of preparedness, response, and recovery. It includes key aspects such as emergency response, incident response, crisis management, business continuity, and cyber resilience/disaster recovery.
To address these requirements, MorganFranklin uses the CORe framework, which consists of the following stages.
Establish Program Governance
The first step in the CORe framework is to establish the governance structure for managing the resilience program. This includes developing:
- Program charter and scope
- Goals and objectives
- Communication approach
- Budgeting and resourcing
- Project planning
Assess Resilience Requirements
Next, the organization defines the scope of the resilience program based on its cyber and operational resilience requirements. Some key steps in this process include:
- Capabilities assessment
- End-to-end service definition
- Risk assessment
- Business impact analysis (BIA)
- Single point of failure analysis
- Recovery gap analysis
Determine Strategies and Solutions
Third, the organization develops strategies and solutions to address identified gaps, eliminate single points of failure, and ensure the long-term sustainability of the program. Key solutions and strategies to develop include:
- Organizational structure and guidance
- Operational resilience strategies
- Emergency response
- Crisis management
- Business continuity
- Cyber resilience and IT disaster recovery
- Implement and Train
After developing resilience plans and solutions, the next step is to validate and test them, and train employees and clinicians accordingly. The key aspects of this process include:
- Resource acquisition
- Strategy deployment
- Plan development and documentation
- Training and awareness
Exercise & Test
All resilience plans require regular updates and exercises to ensure recovery strategies continue to meet the organization’s needs. Key exercises to perform include the following:
- Business continuity
- Crisis management
- IT recovery testing
- Risk mitigation
- Plan/document updates
When exercising resiliency plans and testing technology playbooks, the goal is to assess and fully evaluate the ability to respond and recover from a wide range of potential operational disruptions. The following are different types of exercises and tests to perform:
- Plan Challenges (Annual): These challenges validate the completeness and accuracy of resilience strategies, response playbooks, and business continuity plans.
- Controls Testing (Ongoing): This testing confirms the effectiveness of cybersecurity, resilience, continuity, and recovery controls.
- Cyber Testing (Ongoing): This testing involves internal and external penetration testing, red teaming, capture the flag exercises, and skills development.
- IT Recovery Tests (Quarterly): These tests validate the organization’s ability to recover critical applications, end-to-end critical processes, and supporting applications and infrastructure after an incident.
- Tabletop Exercises (Quarterly): Tabletop exercises involve walking through plans and identifying potential enhancements, as well as refreshing stakeholder awareness of these strategies.
- Simulation Exercises (Twice Annually): Simulation exercises help emphasize the roles of various individuals and business units during adverse events such as ransomware attacks, active shooters, regional disasters, etc.
- Third-Party and Integrated Exercises (Annually): These exercises validate the recovery capabilities of third and fourth parties including coordinated joint exercises with critical partners.
Ultimately, a resilience plan should provide tangible value to the organization. To assess the effectiveness of the plan, it is crucial for the organization to establish and track metrics. Key steps in this reporting process include:
- Metrics (KPIs/KRIs)
- Change management
- Executive/board reporting
- Ongoing capability validation
Proactivity is Key
The key to a successful resilience strategy is proactivity. By anticipating and preparing for potential risks and disruptions, organizations can minimize the impact on patient safety, revenue, reputation, and operations.
Healthcare organizations can adopt the following proactive strategies to enhance their cyber and operational resilience:
- Assess potential failure scenarios. Identify possible scenarios caused by cyberattacks, natural disasters, or other events.
- Consider interconnected impacts. Recognize that failures in one area or partner infrastructure can have ripple effects.
- Focus on critical outcomes. Prioritize and ensure strategies and plans are in place to maintain essential functions.
- Define impact tolerances. Determine maximum acceptable downtime and allocate resources accordingly to mitigate risks and impacts.
- Consider various strategy options. Evaluate multiple solutions through risk assessments and cost-benefit analyses to determine the right choice for your organization and situation.
- Stress test tolerances and challenge assumptions. Validate predefined tolerances, effectiveness of mitigations, and other assumptions at each stage through rigorous testing.
Managing Operational and Cyber Risks in Healthcare
The healthcare sector is frequently targeted by costly and detrimental cyberattacks and other incidents that jeopardize patient safety, sensitive data, and the capacity to deliver essential services. However, by taking proactive measures to develop, implement, and maintain a cyber and operational resilience program, healthcare organizations can strengthen their ability to withstand such incidents, sustain their operations, and promptly restore and recover.