Invenio IT

Protect Patient Care and Privacy with Healthcare Business Continuity Planning

Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT

Published

healthcare-business-continuity-planning

Maintaining continuity is vital for every business, but perhaps no other industry faces the same level of urgency as healthcare. Without a solid healthcare business continuity plan in place, healthcare organizations could become paralyzed by a crisis at any time. This poses a risk not only to the organization’s bottom line but also to the privacy and safety of patients and staff.

Healthcare facilities, including hospitals, clinics, and labs, play a critical role in public health, which puts them in an especially precarious position when it comes to continuity. If a hospital’s IT network fails, it can endanger the facility’s reputation and financial standing, not to mention patient health. Read on to learn what risks today’s healthcare organizations face and how an established system of business continuity can better prepare them for any emergency scenario on the horizon.

The Importance of Healthcare Business Continuity

While the principles of business continuity are generally the same regardless of industry, healthcare business continuity stands apart in several ways. When a healthcare facility experiences data loss or other disasters, the downtime affects more than just the “business.” It also affects:

  • Patients: If a facility experiences an emergency and hasn’t planned properly, patient care might be disrupted or delayed, which can have serious long-term effects.
  • Patient data: Cyberattacks and data breaches can expose sensitive health and identifying information to unauthorized parties, creating the risk of identity theft.
  • Legal liabilities: If a loss in care puts patients’ health at risk, the facility may face accusations of negligence.
  • Regulatory liabilities: Facilities that are found to be noncompliant with federal laws like the Health Insurance Portability and Accountability Act (HIPAA) can be hit with huge fines—on top of all the other losses caused by the disruption.

The importance of healthcare business continuity planning cannot be overstated. Every facility—whether it’s a small town doctor’s office or a sprawling regional hospital system—must have a comprehensive plan for disaster prevention and recovery.

Possible Continuity Disruptions for Healthcare Organizations

Healthcare facilities face a wide range of risks that can interrupt operations, take critical systems offline, and limit the ability to care for patients. When developing a business continuity strategy, it’s important to consider all potential disruptions, including:

  • Natural disasters such as earthquakes, hurricanes, and fires
  • Power and water outages
  • Widespread staff illnesses
  • Supply chain disruptions
  • Cyberattacks, including data loss from malware and ransomware

While a single organization is unlikely to experience multiple emergencies on a regular basis, evaluating each type of threat and how it would affect your facility is an essential step. Knowing the risks you face empowers you to adequately prepare, which, in turn, shortens recovery times and significantly reduces financial losses.

The Threat of Ransomware in Healthcare

While hospitals and other healthcare providers face a variety of threats, ransomware has become particularly ominous. In recent years, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (DHHS), has issued dire warnings and advisories about the risk of ransomware attacks against the healthcare industry. Let’s dig into the details of how ransomware affects healthcare business continuity.

Frequency and Severity

Healthcare organizations are under regular siege by cyberattackers, and the situation has grown progressively worse over time. Data breaches on the whole have been on an upward trajectory for several years, particularly in cases involving large quantities of patient information. The number of healthcare data breaches involving 500 or more patient records steadily increased from 2009 to 2021.

While data breaches occur due to a variety of errors and attacks, ransomware is the most concerning cause, and more healthcare organizations are experiencing ransomware attacks than ever before. A 2022 report from Sophos revealed that 66% of surveyed healthcare organizations surveyed experienced a ransomware attack in 2021, compared to 34% in 2020.

Ransomware is not only becoming more frequent but also more serious. These worrying statistics from a recent study published by the Journal of the American Medical Association further demonstrate the gravity of the ransomware threat against healthcare organizations:

  • The annual number of ransomware attacks on US healthcare organizations doubled from 2016 to 2021.
  • In that five-year period, 374 ransomware attacks on US healthcare organizations exposed the personal health information (PHI) of approximately 42 million patients.
  • Nearly half of the ransomware attacks in the healthcare industry disrupted the delivery of care.
  • Among organizations that experienced an attack, 41.7% suffered electronic system downtime and 10.2% had to cancel scheduled care.

These statistics underscore the importance of healthcare business continuity planning, which integrates prevention and recovery strategies that can reduce the likelihood that a ransomware attack will occur and minimize the damage if it does.

Consequences

Reports of ransomware incidents often focus on the immediate effects like system outages, but the consequences are much more complex than an initial assessment of the situation might suggest. Additional details from the Sophos survey paint a clear picture of how a ransomware attack might impact a healthcare facility:

  • Healthcare organizations are far more likely to pay ransom demands to restore their encrypted data, yet they recover far less data. In 2021, healthcare organizations recovered 65% of their data, on average, after paying the ransom.
  • Recovery times for ransomware attacks against healthcare are painfully lengthy, with one in four organizations needing up to a month to recover.
  • Among surveyed healthcare organizations, 94% stated that the attack caused business or revenue losses, with an average remediation cost of $1.85 million.

Despite these potentially devastating outcomes, healthcare organizations have not adequately invested in measures like cyber insurance, particularly in comparison to other industries. This lack of preparation puts life-saving facilities in incredibly vulnerable positions.

The CommonSpirit Attack

While statistics are a useful means of understanding the ransomware threat, a real-life example helps put everything in context. The attack against CommonSpirit Health perfectly captures the danger posed by ransomware.

In early October 2022, CommonSpirit, the second-largest nonprofit hospital chain in the United States, identified a ransomware attack against its systems. Though the organization says it acted quickly to prevent extensive damage, the effects speak for themselves:

  • Many of CommonSpirit’s hospitals had to cancel appointments and take patient portals and electronic health records offline.
  • Annual financial records revealed that the cost of the outage was approximately $150 million.
  • The attack exposed the personal health and personal identifying information of more than 600,000 patients.

Following the disclosure that patient information was exposed, CommonSpirit has faced multiple class-action lawsuits on behalf of plaintiffs who argue that the organization didn’t take adequate steps to protect sensitive data. One lawsuit is seeking more than $5 million in damages, while another is requesting complimentary credit monitoring services, actual damages, compensatory damages, statutory damages, and statutory penalties. If the court rules against CommonSpirit, these suits could cost the organization millions, in addition to the recovery and revenue losses they experienced during the initial attack. The ransomware attack on CommonSpirit is a prime example of how such incidents can cause not only an immediate disruption but also a long-term impact on patient trust.

Why Ransomware Targets Healthcare Facilities

With such a variety of businesses available to target, why do ransomware gangs continue to focus on hospitals and healthcare? One reason is that many organizations implement woefully inadequate cybersecurity measures despite the imminent threat of a cyberattack. The most common vulnerabilities include:

  • Lack of system patching: Organizations often have lax protocols for updating applications and operating systems.
  • Not enough cybersecurity training: Healthcare workers, including physicians, often fall prey to malicious emails containing malware or links to infected sites, and they don’t receive enough training in recognizing the signs of a phishing scam.
  • Weak passwords: Lax password-management policies at healthcare facilities make it easy for hackers to break into otherwise secure applications.
  • Unprotected devices: Today’s advanced medical devices are increasingly connected to the Internet, but they often aren’t protected with the same cybersecurity measures as traditional hardware.
  • Outdated data backup systems: Healthcare groups have been slow to upgrade to more advanced data backup solutions that could help them minimize the risk of data loss after an attack like ransomware.

Hackers are well aware of cybersecurity weaknesses in the healthcare industry, and they’re happy to exploit them for personal financial gain. They also know that patient data is voluminous and highly sensitive, which increases the likelihood that healthcare facilities will pay the ransom. Maintaining business continuity in healthcare will remain a challenge until these vulnerabilities are resolved across the industry.

How Healthcare Business Continuity Literally Saves Lives

The CommonSpirit ransomware attack provided a clear illustration of how a disruption can be detrimental to patients: records were completely lost, and patients were effectively forgotten by their providers.

Consider also the attack on the Health Service Executive (HSE), the national healthcare system in Ireland. A ransomware attack rendered many of the healthcare facilities within the system unable to provide patient care, leading to canceled appointments for services like cancer treatments. A similar, smaller-scale incident occurred at Tallahassee Memorial HealthCare, one of the largest hospitals in the south. Tallahassee Memorial had to cancel appointments and divert ambulances to other hospitals due to a cyberattack in February 2023. While canceled appointments may seem like a nuisance, for many patients, they can mean a delay in critical care and worse long-term outcomes.

The effects also go beyond appointment cancelations. Imagine the effects of lost data, such as patient records, in intensive care units. A disruption in medication delivery or confusion about a patient’s existing conditions can create life-threatening situations. Make no mistake: a break in healthcare continuity is a break in patient care, and facilities have an obligation to create an effective continuity strategy.

The Sky-High Costs of Downtime in Healthcare

An operational disruption can be expensive for any business. For smaller companies, a single hour can easily cost more than $10,000. But for large healthcare organizations, those downtime costs can balloon into millions of dollars per hour.

Running a healthcare facility is naturally expensive. Under normal circumstances, those costs are offset by the healthcare costs passed onto patients and their insurance providers. Unfortunately, when a disaster causes 19,000 appointments to be canceled, for example, that’s a huge loss in revenue—especially when salaried health professionals are still being paid despite the disruption. Patient care aside, these sky-high costs are another reason why healthcare organizations are under more pressure to maintain continuity.

The Risk of Regulatory Noncompliance

Federal regulations are especially strict for healthcare organizations, and rightly so. A failure in healthcare business continuity planning can not only put patients at risk of bodily harm but also their most sensitive data to cybercriminals. To help prevent these risks, the U.S. government developed regulations like HIPAA. The law sets specific rules for how healthcare organizations handle sensitive data, including:

  • Storage
  • Transmission and processing
  • Protections against theft and instruction
  • Back-up methods

Under the law’s Security Rule, a healthcare organization must deploy technology and protocols that enable it to quickly restore data after a disruptive event so that it can continue operating in “emergency mode.” A failure to comply with HIPAA comes with steep costs, with each violation carrying a fine of up to $50,000. As such, every healthcare organization should have a HIPAA compliant disaster recovery plan.

Key Steps to Healthcare Business Continuity

When developing continuity plans, healthcare organizations must keep some essential steps in mind. Identifying risks, evaluating impacts, and implementing better backup solutions creates a foundation for better continuity.

Identify Risks and Impacts

The first step to setting any business continuity objective at a healthcare organization is creating a comprehensive disaster recovery plan (DRP), which should include two core components: risk assessment and business impact analysis.

Healthcare organizations must assess all the risks that pose a threat to operations, including data breaches, ransomware attacks, and hardware failures. It’s important to evaluate each organization individually as location, size, and structure can play a significant role in determining whether a threat exists and how severe it might be.

Following a risk assessment, every hospital facility should conduct a business impact analysis to determine how each type of event would hurt operations. Important questions to ask include:

  • How long would recovery take?
  • What costs would accrue?
  • What services might be disrupted?

An impact analysis reveals just how bad things could get, thus helping an organization understand which solutions are needed to mitigate and recover from such events.

Establish Stronger Data Protection

Data threats like ransomware aren’t going away anytime soon, especially while healthcare organizations continue to leave themselves exposed to targeted attacks. However, high-quality backup solutions significantly reduce the risk of data loss and downtime, even after a large-scale ransomware attack. Large facilities can make use of data backups with ransomware detection and massive storage capacities. Small practices and community clinics, on the other hand, can benefit from more affordable options with smaller capacities but equivalent security features.

Backup frequency and storage type are also important considerations. With the ability to schedule backups as often as every five minutes and recover a virtualized backup in seconds, healthcare firms can maintain continuity through nearly any data disruption. Hybrid backups, which store data both on-site and in the cloud, make it more likely that organizations can recover data even after an aggressive attack. This kind of protection is needed throughout the healthcare industry to ensure operational continuity, no matter what form of data disaster strikes next.

The Essentials of IT Disaster Recovery for Healthcare

All components of a healthcare organization’s IT infrastructure must be adequately protected against downtime threats. Similarly, when any of those systems are disrupted, the organization must have a solution in place that enables a rapid recovery. Essential components for disaster recovery in healthcare include:

  • Network security and redundancy
  • Data backup solutions
  • Antimalware systems
  • Redundant telecommunications lines
  • Backup power generators

However, recovery alone is not enough. Prevention is also crucial to business continuity. Among the most important preventative measures are:

  • Cybersecurity training for personnel
  • Disaster recovery testing and drills
  • Network penetration tests
  • Test recoveries of data backups

Failure to employ any one of these strategies could leave healthcare organizations unprepared to cope with potential crises and disasters.

Where to Turn for Better Healthcare Business Continuity

Healthcare business continuity is a matter of financial stability, organizational longevity, and patient safety, but it often feels like an overwhelming and burdensome process. Healthcare organizations that don’t yet have a business continuity or disaster recovery plan in place can begin with a template that they can tailor to align with the needs of their individual facilities.

If your healthcare organization needs some extra help preparing for possible disasters, make use of the resources available through Invenio IT. To see firsthand how a business continuity solution can protect your healthcare organization against ransomware and other data threats, request a free demo of today’s advanced technology. For guidance on how to develop a stronger healthcare business continuity plan, reach out to Invenio IT’s team of disaster recovery experts.

Get The Ultimate Business Continuity Resource for IT Leaders
invenio logo

Join 23,000+ readers in the Data Protection Forum