4 steps to patient-centered healthcare incident response

The healthcare industry reported more ransomware attacks in 2023 than any other critical infrastructure sector. As attacks escalate in scale and intensity, it is clear that traditional cybersecurity methods have proven inadequate in healthcare. Significant change is required to combat increasingly sophisticated attacks.

For example, incident response – the standard processes and technologies used to detect and respond to cyber threats – has worked well in most industries, such as retail and finance. However, what sets healthcare apart is not the complexity or number of IT systems; Instead, it is the responsibility to ensure people’s care and safety.

Patient-centered incident response

Healthcare incident response should reflect the patient-centered approach seen in other critical areas of the industry. Unfortunately, most incident response programs, practices, and policies place a primary focus on privacy. Even healthcare regulations and standards like HIPAA, NIST – CSF, and NIST 800-53 provide a false sense of security because all policies, regulations, and requirements focus primarily on protecting data rather than providing instructions, best practices, or even advice on how to protect the patient . While protecting data is critical and is often the primary rationale for investing in cybersecurity and compliance, the primary focus of healthcare should always be protecting the patient and ensuring uninterrupted care.

Part of the problem is that cybersecurity responsibility often falls under the purview of IT, and most programs are extremely hierarchical. Healthcare is no exception. Since most cyberattacks are carried out within 15 minutes, hierarchical response plans with multiple levels of approval and authorization are impractical in this context. Conventional approaches and procedures are often abandoned within these 15 minutes and ad hoc measures take precedence.

In comparison, the most effective clinical teams operate with minimal hierarchy, particularly in critical life or death scenarios. This non-hierarchical approach to patient care should be reflected in incident response planning. For example, with a patient-centered approach, responsibilities also extend to other teams, such as: E.g. clinical staff, clinical technology, compliance, etc.

The mortality rate increases after a breach

In high-pressure healthcare settings, time is of the essence when responding to potential cybersecurity incidents, and the response itself can have a detrimental impact on patient care. For example, a Vanderbilt University study found that “…after a violation, both time to EKG and mortality rates increased and continued to rise for about three years before declining.” The report continues: “It’s the efforts to remediate the breach impacting these time-critical processes and patient outcomes.”

Using Department of Health violation data and quality data from more than 3,000 hospitals over a four-year period, researchers found that the average time to an EKG increased by up to 2.7 minutes and the 30-day mortality rate increased, which meant heart attacks up to 36 additional deaths per 10,000 heart attacks per year. This is just one example of how a significant cyberattack can increase patient mortality.

A Four-step plan for transitioning to a patient-centered incident response

Cyberattacks inevitably impact patient care, even when patients are not the direct target. Let’s illustrate this with a ransomware attack. Once the attack begins, the healthcare system is thrown into turmoil. Cross-departmental conversations revolve around the impact of the attack – from concerns about compromised systems and the reliability of critical patient data to questions about the security of personal data. The focus shifts from patient care to the potential consequences of the cyber attack, resulting in a demonstrable deterioration in the standard of care.

To effectively mitigate the impact, the entire organization must recognize its primary role in protecting patients when orchestrating a response. For example, clinical staff should have established actions to take as soon as it is known that a cyberattack is in progress (e.g., immediately measuring the current vital signs of patients connected to medical devices). Keeping the patient at the center is paramount and every aspect of incident response, including disaster recovery, should keep the patient’s well-being at the forefront.

When developing a modern, patient-centered emergency response plan, the following four-step process should be considered and integrated:

Step 1 – Patients

The incident response plan must be designed so that it does not impact patient care. When prioritizing system recovery, decisions should be based on what will benefit patients the most.

Step 2 – Staff

Supporting and empowering frontline staff during a cyberattack is critical to providing excellent patient care. Addressing their concerns and uncertainties is crucial. This support should extend beyond the IT department to the entire organization, ensuring everyone knows how to respond and can remain focused on patient safety.

Step 3 – Family

It is critical to proactively address the concerns of the patient’s family and friends. Effective and early communication is necessary, especially after a cyber incident. People are looking for answers and reassurance, so it’s important to have a plan to address their legitimate concerns.

Step 4 – Systems

The long-term goal is to restore and protect IT systems. The recovery order should be consistent with the clinical guidelines of the teams prioritizing patient care. For example, when recommissioning systems, the vision of patients in the intensive care unit should be taken into account and the plan should be aligned with patient care goals.

In summary, a thorough, patient-centered incident response plan prioritizes patients, assesses staff needs, addresses family concerns, and considers system status and recovery goals. This remains the continuous focus, minute by minute and hour by hour, until a known state is reached.

Putting the Plan into Action: The First 72 Hours of an Attack Response

The decisions and actions taken in the critical first 72 hours after a cyberattack are of the utmost importance and represent the decisions with the highest liability. Incident response plans should focus on the actions taken within this critical time frame and concentrate on implementing a well-coordinated response strategy.

Within the first 90 minutes of an incident, ensure that patients are treated effectively and physicians have the necessary resources to stabilize the situation. Depict different areas of responsibility at the same time. Open conversations with physicians and hospital staff are critical to the transition from the first 90 minutes to the first eight hours, where staff care becomes a key aspect. Assessing employee morale, psychological well-being and overall engagement is paramount to an appropriate response.

In the next eight to 24 hour window, ensure communication with the family is ready. Efforts should be directed toward maintaining effective communication and reducing disruptions so teams can remain focused on patient care. As the time span increases from 24 to 72 hours, the focus shifts to prioritizing and recovering systems. At all times, priorities should be aligned with patient acuity and needs, guided by clinician insights, and dictated by real-time circumstances rather than the playbook. This is a very different form of disaster recovery, and few companies know how to do it.

Establishing a mixed command center model, managed by front-line personnel focused on patient safety and complemented by a command center that handles operational and legal aspects, can also help ensure a comprehensive and effective response in the event of a cybersecurity incident. It is crucial to adapt to the challenges that arise, especially at unusual times. This may require rethinking the composition and operations of the command center to ensure an effective response during off-peak hours.

As far as system recovery is concerned, simply restoring systems does not guarantee immediate usability. Recovery processes, especially for cybersecurity incidents, can be lengthy and complex. This underlines the need to carefully assess systems and release them for operation even after technical recovery.

Diploma

The healthcare industry must move from protecting data to prioritizing patients. Understanding the unique challenges and timelines associated with recovering from a cyberattack is key to developing comprehensive, effective, and patient-centered incident response plans. By prioritizing an incident response framework that focuses on patient care, staff well-being, communication with family and friends, and system recovery, healthcare organizations can mitigate the impact of cyber incidents.

Um Mike Donahue
Mike Donahue is Chief Delivery Officer at CloudWave, where he manages CloudWave’s security and platform operations in addition to consulting, engineering and advisory services, with a focus on delivering an outstanding customer experience.