Early this year, healthcare’s frontline workers began reporting disruptions to their paychecks stemming from a cyberattack and outage on HR and payroll vendor Kronos. At ViVE, multiple healthcare chief information security officers (CISOs) urged providers to learn from the mistakes made by the impacted providers to ensure business continuity when the inevitable attack strikes.
Particularly with the explosion of digital health technologies in the last two years, the complexity of the healthcare infrastructure cannot be understated. Those increased connections have added to the security risks and burdens of providers, and with it, the need to reassess the network.
From a business continuity perspective, as healthcare has moved to the cloud and other digital tech, “like the Kronos effect and all, we really need to understand succinctly what those absolute most mission-critical business processes are,” said Erik Decker, Intermountain Healthcare CISO. “With the convergence of health IT, we're all putting our eggs in the same basket.”
“Look at Kronos, and what happened there when, when that was impacted,” he added. “The whole shift of mindset of these things has to be better. When we are converging on single platforms to run an infrastructure that can have outages for weeks at a time, what's the public health implications of that? What are the weaknesses and sort of the whole lifecycle?”
For providers, it will mean assessing clinical workflows and determining what processes are imperative to business operations, such as imaging, lab, pharmacy, drug suspension, and the electronic health record, he explained.
The ransomware attack on the University of Vermont Health Network in October 2020 and its subsequent month-long EHR downtime and network outage shine a light on just what processes may be included in prioritization efforts.
UVM officials clearly stated that the lack of imaging over the course of six weeks had a massive impact on the ability to provide patient care, which came as a surprise, Decker noted. It’s likely the ongoing outage at Taylor Regional Hospital in Kentucky is having a similar impact, as the attack impact continues into its eighth week.
As such, it’s important when evaluating the expansive third-party vendor connections within any given entity, particularly when placing the “most mission critical things in the cloud,” that providers “change up the risk model on the way we calculate this,” said Decker.
Rather than addressing it from planned scenarios of “what's the likelihood of this thing going down and blah, blah, blah. Assume now, and let's start with that,” he added. Healthcare leaders must consider hybrid environments, including what happens when the EHR is down and it holds 48 hours of data on it.
Providers need to be evaluating how to maintain those key processes and partnerships that are business imperatives, especially when some providers are connected to each other.
For example, UnitedHealth Group has anywhere between 40,000 to 60,000 vendors, explained its CISO Aimee Cardwell. Earlier this month, Cardwell responded to a situation where two vendors that provide similar services went down at the same time. It became clear that “one of the vendors was the business continuity plan for the other vendor.”
“That worst-case scenario provides us an opportunity for continuous improvement of our vendor management program,” said Cardwell. The vignette provides an opportunity to consider “what would happen if your most important vendors were not available to you? And more importantly, what would happen if the data that those vendors have was taken by a doctor?”
“So we have now prioritized our vendors from top to bottom, and we're working down the list,” she added. “We all know the fundamental things we need to do and any number of frameworks bode well for that — the idea is to make sure we do that work before anything happens. You don’t want to be the easiest thing to pickpocket, you want to be the hardest.”
What providers should ask vendors when assessing security
Fortunately, the insurance giant had strong business continuity processes that enabled Cardwell’s team to manually do the work. But the incident made it clear that providers should be asking vendors questions to assess security measures, business continuity, and encryption use. Those questions should include:
- Is the data encrypted in transit and at rest? Certainly, we hope it is.
- Do they dispose of the data of studies after its intended purposes? Completely?
- Is the digital connection that you share with that vendor safe from the lateral movement of malware, in case they're hit by a virus?
- Is it possible for hackers to hit you laterally, as well?
- Can your organization isolate that vendor and still continue operations?
Fortunately for healthcare providers, federal agencies and non-profit organizations have been keenly focused on providing free resources to the sector aimed at these precise assessments and mitigation measures.
The overwhelming consensus is that the 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) is the easiest way to jumpstart the shift into strengthening these vast connections and vendor relationships.
Jim Brady, Ph.D., M Health Fairview CISO and vice president of infrastructure, operations, and information security, added that these frameworks contain the necessary elements for risk analyses and assessments. As these can contain hundreds of focus areas, the HICP breaks down the top 10 best practices over five areas derived from the NIST CF.
Particularly as the Department of Health and Human Services will consider whether an entity has done its due diligence and implemented the recommended measures of HICP when auditing an entity after an incident.
“If those recognized practices are in place and you can demonstrate you've done it, then that you're going to be in a much, much better place if you actually are compromised,” said Decker. “Because, as we all know, it's impossible to stop all of these attacks. It's just a matter of reality. But it's how we respond, that is the differentiator.”