The Urgent Need for Healthcare Business Continuity Planning
Maintaining continuity is vital for every business, but perhaps no other industry faces the same level of urgency as healthcare.
When a healthcare facility experiences data loss or other disasters, the downtime affects more than just the “business.” It affects patients and the care they receive. It affects the security of patient data. It affects a facility’s legal liabilities, especially if a loss in care puts patients’ health at risk. And finally, it affects regulatory liabilities: when facilities are found to be noncompliant with federal laws like HIPAA, they can be hit with huge fines—on top of all the other losses caused by the disruption.
The importance of healthcare business continuity planning cannot be understated. Every facility—whether it’s a small town doctor’s office or a sprawling regional hospital system—must have a comprehensive plan for disaster prevention and recovery.
1 in 4 healthcare orgs hit by ransomware
Healthcare organizations are no stranger to disaster planning. It’s common for facilities to have emergency plans for a wide range of disaster scenarios, from utility outages to terrorist attacks.
But when it comes to cybersecurity, the industry is notoriously ill-equipped. A 2016 report by SecurityScorecard found the industry to have a wide range of vulnerabilities:
· Healthcare ranked 9th in overall security compared to all other industries.
· The industry ranked 15th out of 18 in vulnerability to social engineering attacks, such as phishing email scams.
· 50% of the industry received a network security score of “C” or lower.
· A majority of the 27 biggest hospitals (63%) scored poorly for patching software and operating systems.
With statistics like these, it should be no surprise that healthcare business continuity planning is especially bad when it comes to ransomware.
A 2018 poll of 1,758 healthcare workers revealed that more than 1 in 4 healthcare organizations had been hit by ransomware in the past year (and roughly a third of those that suffered an attack were hit again within the same year).
Australian hospital loses 15,000 patient records
Already this year, ransomware attacks have continued to disrupt healthcare facilities around the globe.
In February, a targeted attack on Melbourne Heart Group in Australia left 15,000 patient records locked for at least three weeks. The hospital reportedly paid some portion of the ransom, but not all the files were decrypted as the hackers had promised.
The attack disrupted hospital services, creating confusion and headaches for patients. Patients showed up to appointments only to hear that the hospital had no record of them in their system. Others were told simply that their records were “lost” but weren’t given any additional information.
Meanwhile, local newspapers hinted at the possibility that patients’ “personal details and sensitive medical records could be used for identity theft.”
The event was a prime example of how such attacks can cause not only an immediate disruption but also a long-term impact on patient trust.
Most common healthcare vulnerabilities
The Melbourne incident is just one of numerous ransomware hospital attacks in recent years.
Why hospitals? Because healthcare vulnerabilities within IT are particularly egregious. Hackers know this, and they also know that patient data is highly sensitive, which increases the likelihood that facilities will pay the ransom.
The most common vulnerabilities, according to SecurityScorecard, include:
· Lack of system patching: Organizations tend to have lax protocols for updating applications and operating systems.
· Not enough cybersecurity training: Healthcare workers, including physicians, often fall prey to malicious emails containing malware or links to infected sites.
· Weak passwords: Lax password-management policies at healthcare facilities make it easy for hackers to break into otherwise secure applications.
· Unprotected devices: Today’s advanced medical devices are increasingly connected to the Internet, but unfortunately they often aren’t protected with the same cybersecurity measures as traditional hardware.
· Outdated data backup systems: Healthcare groups have been slow to upgrade to more advanced data backup solutions that could help them minimize the risk of data loss after an attack like ransomware.
Maintaining business continuity in healthcare will only remain a challenge until these vulnerabilities are resolved across the industry.
How continuity literally saves lives
The Melbourne ransomware attack provided a clear illustration of how a disruption can be detrimental to patients: records were completely lost, and patients were effectively forgotten by their providers.
Consider also the WannaCry attack on UK’s National Health Service in May 2017. A year later, a report revealed just how bad things were: 19,000 patient appointments had been cancelled, and the attack cost NHS more than £92m (roughly $120 million USD).
Cancelled appointments aren’t just a nuisance. For many patients, they can mean a delay in critical care.
But also, consider the effects of lost data, such as patient records, in intensive care units. A disruption in medication delivery or confusion about a patient’s existing conditions can create life-threatening situations.
Make no mistake: a break in healthcare continuity is a break in patient care.
The sky-high costs of downtime
An operational disruption can be expensive for any business. For smaller companies, a single hour can easily cost more than $10,000. But for large healthcare organizations, those downtime costs can balloon into millions of dollars per hour.
Running a healthcare facility is naturally expensive. And under normal circumstances those costs are offset by the healthcare costs passed onto patients and their insurance providers. But when a disaster causes 19,000 appointments to be cancelled, for example, that’s a huge loss in revenue—especially when salaried health professionals are still being paid despite the disruption.
Even a relatively “small” IT disruption can be extremely costly. A study conducted by Ponemon Institute found that datacenter downtime cost health organizations an average of $7,900 per minute.
Patient care aside, these sky-high costs are another reason why healthcare organizations are under more pressure to maintain continuity.
HIPAA increases the stakes
Federal regulations are especially strict for healthcare organizations, and rightly so. As we established above, a failure in healthcare business continuity planning can literally put patients at harm. But also, poor handling of data can also expose patient’s most sensitive data to cybercriminals.
To help prevent these risks, the U.S. government developed the Health Insurance Portability and Accountability Act (HIPAA). The law sets specific rules for how healthcare organizations handle sensitive data, such as how it’s stored, how it’s protected against theft and intrusion, and how it’s backed up.
Under the law’s Security Rule, a healthcare organization must deploy technology and protocols that enable it to quickly restore data after a disruptive event, so that it can continue operating in “emergency mode.”
A failure to comply with HIPAA comes with steep costs. Each violation carries a fine of up to $50,000. This is another reason why every healthcare organization should have a HIPAA disaster recovery plan.
IT disaster recovery for healthcare
All components of a healthcare organization’s IT infrastructure must be adequately protected against downtime threats. Similarly, when any of those systems is disrupted, the organization must have a solution in place that enables a quick recovery.
Essential components for disaster recovery in healthcare can include, but are not limited to:
· Network security / redundancy
· Data backup solutions
· Antimalware systems
· Redundant telecommunications lines
· Backup power generators
Preventative measures can also include:
· Cybersecurity training for personnel
· Disaster recovery testing and drills
· Network penetration tests
· Test recoveries of data backups
Identifying risks and impact
The first step to setting any business continuity objective at a healthcare organization is developing a comprehensive disaster recovery plan (DRP).
There are two key components of a DRP that will help to guide decision-making about IT expenditures:
· Risk assessment
· Business impact analysis
The first component, a risk assessment, helps to identify all the risks that pose a threat to a healthcare organization’s operations. Example risks could include a data breach, ransomware attack, hardware failure and so on. The purpose of a risk assessment is to make it absolutely clear what the organizations’ vulnerabilities are.
Following a risk assessment, a business impact analysis should be completed to determine how each type of event would hurt operations, i.e. how long recovery would take, what costs would accrue, etc. An impact analysis reveals just how bad things could get, thus helping an organization understand which solutions are needed to mitigate (and recover from) such events.
Stronger data protection for healthcare business continuity
Data threats like ransomware aren’t going away anytime soon. And until the healthcare industry adopts consistent standards for protecting critical data, the targeted attacks will only continue.
Newer data backup technologies from Datto can help organizations significantly reduce the risk of data loss and downtime, even after a large-scale ransomware attack. With a backup frequency as often as every five minutes, and the ability to recover a virtualized backup in seconds, healthcare firms can maintain continuity through nearly any data disruption.
Datto’s systems provide “hybrid” backups, which means that backups are stored both on-site and in the cloud for greater protection. Additionally, built-in ransomware protection helps to detect the first signs of an infection, so administrators can quickly rollback to clean data before the attack spreads.
This is the kind of protection that is needed throughout the healthcare industry to ensure operational continuity, no matter what form of data disaster strikes next.
Take a closer look
Learn more about implementing a business continuity solution that can protect your healthcare organization against ransomware and other data threats. Request a free demo of today’s advanced BC/DR technology from Datto, or contact our disaster recovery experts at Invenio IT: call (646) 395-1170 or email [email protected].