In Conversation with...Barbara Pelletreau and John Riggi about Cybersecurity

In Conversation with...Barbara Pelletreau and John Riggi about Cybersecurity

Barbara Pelletreau, RN; John Riggi | March 27, 2024

View more articles from the same authors.

Editor’s note: John Riggi is the national advisor for cybersecurity and risk at the American Hospital Association. Barbara Pelletreau is a former senior vice president of patient safety for a large healthcare organization. We spoke to them about the risks of cybersecurity to patient safety and how organizations can prepare and respond to cyberattacks.

Sarah Mossburg: Thank you for joining us. Can you please tell us a little bit about yourself and your current role?

John Riggi: I am the national advisor for cybersecurity and risk at the American Hospital Association. I have been in this role for about six years. Prior to that, I was at the Federal Bureau of Investigation for almost 30 years and was most recently a senior executive in the Cyber Division.

Barbara Pelletreau: My background is in patient safety and employee injury prevention. I am a retired registered nurse and have worked for more than 45 years in the healthcare industry. My most recent position was senior vice president of patient safety for a large organization overseeing regulatory medication safety, high reliability, harm-event management, and other related areas to improve patient outcomes.

Sarah Mossburg: Can you tell us about the prevalence of cybersecurity attacks and the most common types of cyberattacks on healthcare institutions? How have these attacks evolved over time?

John Riggi: As we review our data from 2023, it seems that 2023 has shaped up to be our worst year in terms of the number and the impact of cyberattacks, specifically the number of individuals impacted by data-theft attacks and theft of protected health information. There were approximately 550 hacks in 2023. Hacks are external, foreign-based computer intrusions that result in the theft of protected health information; in 2023, they impacted 118,000,000 individuals. That number is more than two and one-half times the number of people who experienced hacks in 2022, when 44 million individuals were impacted.

A majority of these attacks is from third-party providers that service healthcare technology providers in services peripheral to hospitals and health systems. The two major types of attacks are data theft and data extortion. We are seeing an increase in attacks that result not only in the theft of data but in foreign-based criminal organizations then holding data for a ransom and threatening to release sensitive information on the open internet or sell information on the dark web.

The type of attack we are most concerned with is high-impact ransomware attacks, which result in the encryption of data or networks that lead to the disruption and loss of the availability of critical medical technology. These ransomware attacks are not only a risk to the patients within the hospitals, but they also prevent access to electronic health records (EHRs) and disrupt network-connected medical technologies such as diagnostic technology.

Sarah Mossburg: Why is cybersecurity so important for healthcare institutions, and what is its impact on patient safety?

John Riggi: Cybersecurity is integral to patient safety because a lot of our care delivery depends on network-connected and internet-connected technology. During a ransomware attack, we lose the availability of that technology, which becomes highly disruptive to care delivery. We have become very dependent on the availability of technology to deliver care since the use of network and internet-connected technology helps improve patient outcomes and save lives. There is significant risk exposure if we are not prepared to deliver the same level of safe and quality care without the availability of technology under emergency conditions.

Sarah Mossburg: Has there been any evidence of patient harm from the lack of connectivity that results from a cyberattack?

John Riggi: There is a credible, probable risk of harm to a patient from a cyberattack. One report from the Cybersecurity and Infrastructure Security Agency in September 2021 studied mortality rates following high-impact ransomware attacks that resulted in extended outages of medical technology.¹ The data showed a correlation between high-impact ransomware attacks and unexplained excess deaths that surfaced in a region post-ransomware attack. Cyberattacks can result in system disruptions that lead to delays in emergent care, ambulance diversions, delayed cancer treatments, or misdiagnosis. A study by the University of Minnesota also examined data from the Centers for Medicare & Medicaid Services and showed an increase in in-hospital patient mortality rates for patients admitted at the time of the attack.²

Sarah Mossburg: Before a health system is in the middle of a cyberattack, what strategies can be put in place to prevent harm to patients should the system become the target of an attack?

John Riggi: Leadership must understand that cyber risk is not just an information technology issue or only the responsibility of the cybersecurity components within an organization. It is incumbent upon all the administrative and clinical leaders of a hospital to understand the wide-ranging impact that a ransomware attack would have on every function of the organization. Ransomware attacks can impact any component of care delivery and operational functions.

To understand the impact of a ransomware attack, leaders should ask three simple questions: If you lose connection to the internet or your network and cannot access data, what will work? What will not work? What is the plan? Exploring these questions prompts leaders to consider how they diagnose a stroke patient without a computerized tomography scanner or deliver medications without access to the EHR without knowing what the patient’s drug allergies are. In many cases, these outages—the loss of medical technology—after a ransomware attack can last 30 days or longer. Leaders must create a plan for each department on what will work and what will not work.

In many cases, losing access to the network also means losing access to phones and email. Organizations should prepare for the loss of communications as well and understand the protocol for documenting and communication and the downtime procedures for every piece of medical and operational technology.

Barbara Pelletreau: It is very important to plan. Hospitals are required to prepare and practice emergency planning for their accreditation. Hospitals plan for natural disasters such as fires and earthquakes, and similar planning should be completed in the event of a cyberattack. Planning is not solely a one- to two-hour meeting or an afternoon planning session, but rather it is having the framework, as John mentioned, a written plan known to all leaders, practice sessions demonstrating execution of the plan, and finally, self-evaluation of their plan or practice. The good news is it is a team sport. Everybody gets to play. Everybody has a part. There is nobody who knows their department better than the director of radiology or director of emergency services or director of nursing. A health system must include its risk manager, chief operating officer, and chief information officer when developing the plans. An executive team lead needs to bring the whole plan together for ultimate coordination.

John Riggi: That integration of emergency management planning with cyber-incident response planning is absolutely critical. We have seen that in the attacks. Ultimately, you have an attack, and suddenly incident command is triggered. Emergency management takes a very strong leading role. Some of the issues which hamper an efficient response to the attack is the lack of integration and coordination between emergency management, cyber-incident response, business continuity, disaster planning, and clinical continuity. How do we continue to deliver safe and quality care without technology? That is not an IT issue. It is a clinical issue. What are the plans for clinical continuity?

Sarah Mossburg: There are several security frameworks available to healthcare organizations. What are the ones that you have used in the past or recommend?

John Riggi: The are multiple frameworks and many different recommendations. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the adopted overarching framework in general for all industries.³ The Healthcare and Public Health Sector Coordinating Council, which is a creation of legislation going back to 2015, mandated the creation of a sector group to work with the Department of Health and Human Services (HHS) to develop cybersecurity practices and voluntary consensus-based practices that align with NIST. They developed the Healthcare Industry Cybersecurity Practices (HICP) that were just updated last year.⁴ They developed frameworks for different organization types, like small physicians’ practices, small hospitals, and medium and larger organizations.

It is not about picking a winning framework. It is about understanding which frameworks might be most applicable to your organization. We have to look at how are they attacking us. How are they beating us? And irrespective of whatever framework we have, do we have the proper controls in place to help mitigate the current and the evolving threat methodology? Your framework has to be constantly reevaluated. NIST, CSF, and HICP are absolutely great resources. I would suggest starting there and reading the threat bulletins from the government.⁵

Barbara Pelletreau: I'll add that the IT team is preventing cyberattacks like a moat around the castle. The IT team maintains the “firewall” and typically leads the training for the front lines to protect the company. While IT is working to stay ahead of cyberattacks, the front line and leadership must be educated to prevent an invasion. The Joint Commission has provided a framework for clinical operations to prevent an invasion as laid out in their Sentinel Event Alert 67.⁶

A cyberattack somewhat parallels the instant command center that a health system uses in emergencies. The bulletin highlights “make or break” points for harm to patients, like knowing allergies. If you do not know patients’ allergies or medication interactions, you are potentially going to cause harm. It is very important to figure out what these issues are and how you are going to work through them when they occur. Many other clinical operations must be addressed in the cyberattack plan.

Sarah Mossburg: Now that we have talked about planning for a cyberattack, I would like to turn towards the experience during an attack. When a healthcare organization is attacked, what does that usually look like for healthcare workers and patients?

Barbara Pelletreau: Usually what it looks like is that everything you knew yesterday is no longer there today. It is very simple. The work world as you knew it is no longer. All the systems that worked yesterday are no longer available. However, many resources and tools can be developed in advance and ready to use when a cyberattack occurs. For example, sites that use leadership rounding or department safety huddles can use these same processes to connect with the front lines to keep patients safe. If you're already used to doing leadership rounding, you continue to do that during a cyberattack. If you have daily huddles in your units, you can use those to know and address the immediate safety issues. Of course, these processes also promote the necessary communications during these trying events. Teamwork is certainly important to maintain. All the department leaders should have plans in place for how to communicate with other departments and have their written protocols to activate. Daily internal meetings with leadership are critical to communicating between critical leads, such as IT, nursing, safety, communications, risk, and physicians.

Sarah Mossburg: What IT systems are usually impacted, and how do those affect staff and patients?

John Riggi: It's going to be pretty obvious. It’s just like a blackout. It is similar to when individuals and organizations experience an electrical blackout except the lights are on. Mostly your building systems may be on, but ultimately, all the technology that you normally relied on to do your job is no longer available. Sometimes you may see a ransomware note that appears on some of the computer screens that says you have been attacked. There also may be notices that an attacking group has discovered a vulnerability in your system, and for $10 million, they will tell you where the vulnerability is located and provide a decryption tool. They will exfiltrate a large amount of data (data extortion) and hold terabytes of patient data. They will threaten to publish the data on the internet and sell it on the dark web.

During an attack, one of the first things I see is the loss of diagnostic technology—imaging, telemetry, imaging technology, and radiology. The labs may be disrupted, and the EHR will go down. Anything that would depend upon a network or internet connection may be lost. There is a significant impact there. Plus, you have other systems that are down like telephone and email systems. Most phone lines use Voice over Internet Protocols (VoIP), so if there is no longer an internet or an internal network available, then phones do not work. We have also seen very significant disruption to downtime computers. Downtime computers often rely on periodically connecting to the network to update. Staff will need to manually enter information without it ever touching the network. There will be a loss of all this medical technology and operational technology. Other things, like door access controls, may not work, so you may also have a security issue as well. It is a series of cascading effects, and people in every department begin to understand how much they rely on network-connected technology.

There is a regional impact of a cyberattack as well. It is what I call the ransomware blast radius. Hospitals may need to divert ambulances, patients, and radiation oncology patients to the surrounding hospitals, which then begin to feel the strain and impact. Depending on their capacity level, the other organizations may have delays and disruptions as well. When we talk about incident response planning, we also talk about not only preparing internally across all entities within the organization but engaging in regional incident response planning, cyber-incident response planning. They need to consider a cyber incident a regional hazard that needs to be planned for on a regional basis, just like a fire, flood, or mass casualty incident.

Sarah Mossburg: What are ways that health systems can know if patients are experiencing harm during a cyberattack?

Barbara Pelletreau: Part of emergency planning is understanding what is happening, where patients may be at risk for harm, and what adverse-harm events have occurred. The events reporting system should continue to be used for reporting, but if the system is down, there must be a means for manually reporting harmful events. This effort is critical to prevent further harm to other patients and to best manage any harm that has occurred. In many healthcare organizations, the event reporting system is part of the DNA of how operations report near misses and harmful events. The biggest challenge during a cyberattack is if the electronic reporting system is no longer available and manual process must go into play. Reporting during a cyberattack should not be a long process because staff are already doing a lot of extra manual steps. Healthcare organizations need to have a simple way for staff to be able to “raise their hand” to report a harmful event or potentially harmful event.

The second part of event reporting during a cyberattack is to make sure that someone is reviewing these events to learn what problems exist or potential issues that could cause harm. Depending on the size of the organization, an individual or an experienced team should be immediately established to review these events and address the issues with clinical operations. Sharing the learnings at the daily leadership huddle would immediately provide the opportunity for leaders to communicate and implement safety measures. As we know, healthcare is very interrelated with the patient at the center.

Sarah Mossburg: How should health systems implement planned procedures, such as an emergency action plan and a cyber-response plan, to maximize success?

Barbara Pelletreau: A lot of good planning goes into this in advance and is practiced over time. Planning can save a huge amount in terms of safety, operations, financial losses—the list goes on. Healthcare providers are already under so much stress when things are working. When there is a cyberattack and systems are no longer available, the preparation and planning will reap the benefits.

Practice is also very important. Planning is only as good as those who sat around the table and planned it, but practice is the key. Whether it's table talk or an actual walkthrough, practice at all levels is the next important step. The last part and perhaps the most important is to have a basic foundation, a culture, of teamwork and partnership at all levels of the organization prior to the disruptive event. A healthcare organization will definitely find out exactly what kind of culture exists when a cyberattack occurs. A good, strong culture of partnership and working together during stressful times will be important.

John Riggi: I use the 4 Rs to describe how to maximize success: readiness, response, resiliency, and recovery. This should also be done at the regional level to prepare for regional readiness, response, resiliency, and recovery.

Like Barbara said, practice is absolutely critical and has to be realistic. Staff need to understand that outages will not be only on the overnight shift or for one system. Staff may be busy, so they must have focused attention on not only business continuity but clinical continuity. Some organizations have designated an office of clinical continuity because it's going to be very hard for individuals to develop their procedures. It has to be done on a system-wide level because there are continuity procedures for the entire system. Then it should be done at the hospital level and then the department level. Practicing the downtime procedures for each department is important even for executives. The executives are going to have to make a lot of “battlefield decisions” in the face of an adversary without all the information, under time constraints, and under duress, just like a law enforcement or a military operation. This is crisis leadership, and they are going to have to make decisions that the FBI is not going to be able to make for them. Practicing is absolutely critical to full integration between all the departments.

Barbara Pelletreau: One key thing I think that distinguishes an organization from others is if they sit down and debrief. What did they learn? What did they need to do? Leaders in the organization need to ask, “What did we do well? What did we not do so well? What can we learn? And what can we share?” Often when these events occur, staff are told to not talk about them, but at some point, you need to share your learnings so that others can benefit.

John Riggi: An after-action report is critical. Staff have to learn from an incident. In law enforcement, whenever there is an operational issue or crisis, we create an after-action report to identify best practices, lessons learned, and the plan for the future. That is part of the cyber-incident response planning: Learn from the incident and then ingest that for future planning.

Sarah Mossburg: What are some mistakes that organizations might make when it comes to their cybersecurity programs?

John Riggi: One of the first challenges is if the organization does not have a cybersecurity program. In this day and age, we need a cybersecurity program, and we would strongly suggest that there is an identified individual for whom a majority of their time if all their time is devoted to cybersecurity.

I also believe that there is a misperception that cyber risk is purely an IT issue. Leadership not treating it as a serious enterprise risk issue is a mistake because over 140 hospitals were attacked in 2023. Those are 140 large health systems, which had multiple hospitals in multiple states. Leaders and staff have to really understand the enterprise-risk nature of cyber risk. It has to be a leadership imperative, and there has to be responsibility and accountability designated throughout the organization for cybersecurity because of patient safety.

Barbara Pelletreau: Agree. The cybersecurity plan should not just be for IT. Phishing is a huge way that they can gain entry, and all employees should be trained on the basics and reinforcing when things are reported, or there could be a breach in security. It's the same thing in safety. If something doesn't look right and a patient may be harmed, creating that culture of raising your hand and speaking up is key.

Sarah Mossburg: Where would be an important place to start for an organization that is just starting to think about the patient-safety aspects of a cyberattack?

John Riggi: I would start with what plans you have in place right now. Start with what you have. Do you have procedures in place? If you have plans in place, look for the adequacy of plans. Do they truly cover your downtime procedures in clinic? Do you have clinical continuity procedures for every piece of medical technology within the organization? Understand what the impact would be if you lost an internet network internally but also, who else depends upon your organization for services? If you went dark, how many physician practices do you have? How many radiology centers? How many other third parties might depend upon your network availability? What is that cascading disrupting effect if you go dark? Who else would be impacted?

Sarah Mossburg: Is there anything else that we did not discuss that you want to briefly mention?

Barbara Pelletreau: The world has changed, and we have amazing IT folks doing great work to prevent attacks, seal the IT walls, and keep everything fully functional within the network. IT allows the clinical staff to deliver patient care efficiently. But it is a new day with the dramatic increase of cyberattacks. Identifying a clinical point person to partner with the IT lead and pull together a response plan for when there is a cyberattack is critical for operations and prevention of patient harm.

John Riggi: The frequency, severity, and impact of disruptive cyberattacks have increased dramatically over the last several years, especially 2023, and we need to be prepared for that. And ultimately, when hospitals are attacked with ransomware, lives are threatened, and we need to plan accordingly.

Sarah Mossburg: Thank you both so much. We appreciate your time.

References

1. Cybersecurity & Infrastructure Security Agency. Provide Medical Care Is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm. CISA; 2021. Accessed February 11, 2024. https://www.cisa.gov/sites/default/files/publications/CISA_Insight_Provide_Medical_Care_Sep2021.pdf

2. McGlave CC, Neprash H, Nikpay S. Hacked to pieces? The effects of ransomware attacks on hospitals and patients. Accessed February 11, 2024. https://business.depaul.edu/academics/economics/news-and-events/Documents/Ransomware_Manuscript.pdf

3. National Institute of Standards and Technology. Cybersecurity framework. Accessed February 11, 2024. https://www.nist.gov/cyberframework

4. U.S. Department of Health and Human Services HHS 405(d). Health industry cybersecurity practices: managing threats and protecting patients (HICP 2023 Edition). Accessed February 11, 2024. https://405d.hhs.gov/information

5. U.S. Cybersecurity and Infrastructure Security Agency. Cybersecurity Alerts and Advisories. Accessed March 1, 2024. https://www.cisa.gov/news-events/cybersecurity-advisories

6. The Joint Commission. Preserving patient safety after a cyberattack. Sentinel Event Alert. Issue 67. Published August 15, 2023. Accessed February 11, 2024. https://www.jointcommission.org/-/media/tjc/newsletters/sea-67-cybersecurity-7-26-23-final.pdf

Cybersecurity and How to Maintain Patient Safety

March 27, 2024

Introduction

The integration of information technology (IT) in healthcare has become a cornerstone of efficiency and advancement in the last few decades. Interconnected IT systems within healthcare can streamline processes, enhance patient care, and save lives, but they also introduce a complex web of cybersecurity vulnerabilities. Healthcare has increasingly become a prime target for cyberattacks. Many organizations depend heavily on IT for daily operations. Therefore, losing access to IT systems and to the data contained in these systems has dire consequences.

When a health system experiences a cyberattack, the impacts extend far beyond disruptions to workflows, as patient safety can be compromised during a cyberattack. Important procedures may be delayed, clinicians can lose access to vital information such as medical history and allergies, and healthcare workers must make or defer treatment decisions without timely diagnostic imaging and lab results.¹ In addition, patients’ private medical and financial information can be stolen and held for ransom or sold on the dark web.

Recognizing the gravity of these challenges, the Department of Health and Human Services (HHS) has initiated federal support and oversight efforts and the Joint Commission has initiated guidelines to mitigate the risks associated with cybersecurity in healthcare. These efforts aim to establish comprehensive frameworks, guidelines, and regulations to safeguard the integrity of healthcare IT systems and, by extension, protect patient safety.²

The Nature and Prevalence of Cyberattacks

Cyber attackers gain access to healthcare systems through tactics like phishing, which require a single employee to click on a link within a deceptive email. After the user clicks the link, malware is installed on their work computer and can spread to the whole organization. The attacking entities can then do any number of things to disrupt operations and extort money. A majority of these attacks are from third-party providers that service healthcare technology providers in other peripheral services around hospitals and health systems. Among the most common and disruptive types of cyberattacks in healthcare is ransomware, which encrypts all systems and critical data, rendering them inaccessible, until a ransom is paid. This tactic not only cripples essential services such as electronic health records (EHRs) and phone lines but also causes clinicians and administrators to make difficult decisions regarding patient care. According to the Federal Bureau of Investigation (FBI), the healthcare industry was by far the most targeted sector for ransomware attacks; 210 attacks were reported in 2022.³ In a recent survey of 653 IT security staff in U.S. healthcare organizations, more than half (54%) said their organizations experienced ransomware attacks in 2023, and 59% said the attacks had a negative impact on patient care.¹

A ransomware attack is often paired with data theft, which threatens to compromise the confidentiality and integrity of sensitive patient information. In addition to holding the healthcare IT systems ransom, data thieves threaten to release private health information of thousands of patients unless they are paid. In 2023, 112 million individuals in the United States were involved in a data breach. That number more than doubled from 2022 (46.8 million), according to the HHS Office of Civil Rights.⁴

How to Prevent and Prepare for Cyberattacks

With the increasing rate and complexity of cyberattacks on healthcare, it has never been more important for healthcare organizations to prevent and prepare for attacks. First and foremost, executive leadership teams need to devote time and resources to this concern and build cybersecurity into organizational policies.⁵ New policies may involve appointing someone such as a clinical director of cybersecurity who understands both security and clinical work and can oversee cyber-awareness programs, cyber-hygiene (firewalls, etc.), and cyber-incident planning and response. To prevent breaches to your system security, HHS recommends measures such as using a firewall and antivirus software, having strong password requirements, and training staff regularly.⁵ Staff training materials should be easily understandable and free of IT jargon, and can be modeled on successful past patient safety interventions, such as the WHO’s “My Five Moments for Hand Hygiene” guidelines and “Surgical Safety Checklist.”

Aside from prevention, a large amount of work is involved in planning and practicing a response to an attack, including patient safety protection. Starting with a security framework, such as the National Institute of Standards and Technology Cybersecurity Framework or the HHS Health Industry Cybersecurity Practices, will give organizations an overall sense of how to identify, respond to, and recover from breaches.^6,7 To be accredited, the Joint Commission now requires organizations to conduct a hazards vulnerability analysis and maintain a continuity of operations plan, a disaster recovery plan, and an emergency operations plan.⁸ The development and practice of these plans will be critical if a cyberattack brings down EHRs and other IT systems. Planning priority should be placed on items that can affect patient safety, such as obtaining and managing allergy and other medication information, and diverting emergency procedures and services to other facilities. Specific downtime procedures could include calling pharmacies to retrieve medication information, using fax machines for medication orders within the facility, using paper charts, and having runners to communicate between units. However, developing these plans is only the first step; they must be practiced regularly with all teams so that everyone knows how to respond instinctively when an attack hits, and there is full integration between all the departments.⁸

How to Respond to a Cyberattack

When an attack occurs, systems may start to shut down or a message may appear from the attacking group to notify users of the encryption and ransom terms. The procedures in the emergency management plan should activate an emergency response team, and IT may shut down systems to try to contain the breach. The American Medical Association recommends notifying staff as soon as possible about the scope of the attack and what is being done to address it.⁹ To greatly improve activation of downtime procedures, offer pre-prepared, quick-reference informational sheets to clinicians and other staff to refresh themselves on emergency procedures such as how to use paper charts, how to collect consent forms, and how to order medication.¹⁰

Frequent leadership rounding, team huddles, and intra-unit communication can help to keep everyone informed of potential or current patient safety issues.¹¹ When a patient-safety event occurs, reporting it (whether on paper or in a short email or through another manual method) remains a top priority so leadership can make informed decisions about patient care during the downtime.¹¹ For the duration of the downtime, staff and leadership should be prepared to make quick and difficult decisions and to work as a team to ensure patient safety and care remains as high quality as possible under the circumstances.

How to Recover From a Cyberattack

When the attack is resolved, either by paying the ransom or by decrypting the files in-house, recovering from a cyberattack is as important as preparing or responding to one. Decrypted files need to be validated, systems need to be checked for full functionality, paper forms need to be entered into systems, and compromised devices need to be replaced.¹²This recovery process can take several months, and heavy attention to detail is needed in these tasks to ensure that patient safety is maintained. For example, when the medication order-entry system comes back online, pending orders may exist that were already filled by a paper order, and clinicians need to ensure no duplicate prescriptions to patients exist.¹⁰

Finally, it is critically important for the organization to debrief about the event, determine lessons learned, and develop a plan for carrying out action items. These steps can help the organization prevent, prepare for, respond to, and recover from cyberattacks much more quickly and effectively in the future and, ultimately, better protect patient safety.

Conclusion

Interconnected IT systems in healthcare improve patient safety on a daily basis, but they create risks to patient safety in the event of a cyberattack. The dramatic rise in disruptive cyberattacks in recent years should spur all healthcare organizations to prepare thoroughly for such an attack. Government and accrediting organizations such as HHS and the Joint Commission increasingly emphasize the significance of cybersecurity and acknowledging its pivotal role in ensuring the integrity of patient care. Some best practices to ensure patient safety include dedicating resources to cybersecurity and clinical continuity, detailed planning and practice for downtime, and debriefing after an attack. By actively responding to regulatory guidance and investing in preventive measures, the healthcare industry can build a resilient system that not only safeguards patient information but ensures uninterrupted and secure patient care in the digital age.

References

1. Ponemon Institute. Cyber Insecurity in Healthcare 2023: The Cost and Impact on Patient Safety and Care. Proofpoint; 2024. Accessed February 12, 2024. https://www.proofpoint.com/us/resources/threat-reports/ponemon-healthcare-cybersecurity-report

2. U.S. Department of Health and Human Services Administration for Strategic Preparedness & Response. Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services. Department of Health and Human Services; 2023. Accessed February 12, 2024. https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf

3. Southwick R. FBI: healthcare hit with most ransomware attacks of any other sector. Chief Healthcare Executive. Published March 24, 2023. Accessed February 11, 2024. https://www.chiefhealthcareexecutive.com/view/fbi-healthcare-hit-with-most-ransomware-attacks-of-any-critical-sector

4. McKeon J. This year’s largest healthcare data breaches. HealthIT Security. Published December 26, 2023. Accessed February 11, 2024. https://healthitsecurity.com/features/this-years-largest-healthcare-data-breaches

5. HealthIT.gov. Top 10 tips for cybersecurity in healthcare. Accessed February 11, 2024. https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf

6. National Institute of Standards and Technology. Cybersecurity framework. Accessed February 11, 2024. https://www.nist.gov/cyberframework

7. U.S. Department of Health and Human Services HHS 405(d). Health industry cybersecurity practices: managing threats and protecting patients (HICP 2023 Edition). Accessed February 11, 2024. https://405d.hhs.gov/information

8. The Joint Commission. Preserving patient safety after a cyberattack. Sentinel Event Alert. Issue 67. Published August 15, 2023. Accessed February 11, 2024. https://www.jointcommission.org/-/media/tjc/newsletters/sea-67-cybersecurity-7-26-23-final.pdf

9. American Medical Association. Guidelines for developing EHR downtime procedures. Accessed February 11, 2024. https://edhub.ama-assn.org/data/Journals/steps-forward/937327/10.1001stepsforward.2017.0017supp3.docx

10. Massachusetts General Hospital Center for Disaster Medicine. Hospital Preparedness for Unplanned Information Technology Downtime Events: A Toolkit for Planning and Response. MGH Center for Disaster Medicine; 2018. Accessed February 11, 2024. https://www.massgeneral.org/assets/mgh/pdf/emergency-medicine/downtime-toolkit.pdf

11. State University System of Florida Board of Governors Healthcare Education Medical Professional Liability Company. Patient Safety Guidance for Electronic Health Record Downtime: Recommendations of the Electronic Health Record Downtime Task Force. AMC PSO; 2017. Accessed February 11, 2024. https://flbog.sip.ufl.edu/wp-content/uploads/2019/11/AMC-PSO-EHR-Downtime.pdf

12. Long S. The cyberattack: from the POV of the CEO. Hancock Health. Published January 19, 2018. Accessed February 11, 2024. https://www.hancockhealth.org/2018/01/cyber-attack-pov-ceo/

This project was funded under contract number 75Q80119C00004 from the Agency for Healthcare Research and Quality (AHRQ), U.S. Department of Health and Human Services. The authors are solely responsible for this report’s contents, findings, and conclusions, which do not necessarily represent the views of AHRQ. Readers should not interpret any statement in this report as an official position of AHRQ or of the U.S. Department of Health and Human Services. None of the authors has any affiliation or financial involvement that conflicts with the material presented in this report. View AHRQ Disclaimers