Healthcare CIOs have hopefully all now heard and heeded the warnings regarding enhancing their organization’s cybersecurity posture, both in terms of technological sophistication and of staffing and staff awareness. Clearly this new threat has grown exponentially over the course of the last several years, and it seems likely that it will continue to escalate further. The financial and reputational costs of a breach are very large and often last for years, as witnessed by recent multi-million dollar fines levied against organizations several years after the initial incident occurred.
"During our anonymous attack experience, we withstood a number of different disruptions, each of which caused different operational challenges for us"
Yet I remain concerned that our focus has been too narrow, with the safeguarding of our patients’ data as the primary issue. Of course, we obviously must ensure that this data remains well-protected and out of the hands of the “bad guys.” We have certainly heard about the value of health records on the open market and how it remains enormously profitable for hackers to go after this information. And as mentioned above, there’s obviously the very real concern of very large financial penalties imposed on organizations for HIPAA violations, and all the other financial losses that go along with a breach.
But there’s an important lesson that I learned back in 2014 when the hacktivist group Anonymous attacked us at Boston Children’s Hospital, and that I have seen play out more recently at hospitals around the country that likewise have been subject to ransomware and other cyberattacks. And that’s that these cyberattacks have the ability to cause major disruptions in the actual provision of care to patients, and to the general operations of a healthcare organization.
During our anonymous attack experience, we withstood a number of different disruptions, each of which caused different operational challenges for us.
First, we experienced a massive distributed denial of service (DDoS) attack on our network, which briefly caused an interruption in both inbound and outbound Internet access. During that interruption, any clinical function that depended on Internet access was rendered unavailable. As an example, even though our EHR remained functional, the ability for providers to electronically send prescriptions to pharmacies was temporarily impacted, and manual workarounds had to be implemented. Had the outage lasted longer, other more fundamental operational tasks would have required workarounds as well—for example, the ordering of medical supplies to maintain sufficient par levels throughout the enterprise, or even sending employee payroll information to banks.
We also experienced direct attacks on exposed firewall ports and services, requiring us to shut down patient and provider portals, research projects and philanthropy sites, all as a means of protecting ourselves from these attacks. All of these actions, while necessary to ensure the security of our network, had significant disruptive effects on our communication with our patients and referring providers, research collaborators around the world, and to potential donors to our organization.
Finally, we experienced a massive influx of malware-laden, spear-phishing emails, designed to provide a means for the attackers to get access to the portion of our network behind the firewall, and in turn to sensitive applications and data. We needed to ensure all malicious email was quarantined appropriately, and an alert was sent out to staff about the absolute importance of not clicking links or opening attachments unless absolutely sure that they were safe. To this end, we took a proactive step, and temporarily shut down our entire email system. As with the shutdown of our external web sites, this was an extremely disruptive action, though one which we felt necessary. Communication in a large organization is severely impacted without email, and though we all sometimes wish for an “email holiday,” many critical operational functions rely on email as their mechanism for communication. It was only because we had fortuitously recently implemented a secure internal texting platform (for HIPAA compliance) that we had an alternative means of electronically communicating critical information to our staff during this email downtime period.
These examples serve to highlight that strong defenses as well as operational contingency plans need to be put in place to safeguard our organizations and our ability to ensure clinical operations. Although protection of data is clearly a high priority, I submit that ensuring that we are able to effectively and safely provide care for patients is priority number one.