As the summer of 2023 drew to a close, cybercriminals seized the moment to unleash chaos on a healthcare system. Multiple healthcare facilities and their associated medical services were impacted, exposing vulnerabilities in the health system’s digital infrastructure.

This attack severely disrupted hospital operations, affecting billing processes, elective procedures, and critical medical imaging. The inability to bill Medicaid posed significant financial challenges, while staffing shortages raised the possibility of activating the Medical Reserve Corps.

Despite eventual system restoration, lingering financial issues prompted legislative scrutiny. This incident also brought to light critical gaps in the state’s emergency response capabilities, emphasizing how a single can cascade across a healthcare network.

Although this incident dealt a devastating blow to the health system, the experience offers valuable lessons for other healthcare organizations.

Learnings from a hospital cyber attack

1. Coordination is key

Effective incident response (IR) preparedness should never take place in isolation. To strengthen your organization’s cybersecurity incident response, consider the following strategies:

  • If your organization has shared connections, consider including representatives from satellite offices and affiliates in your planning meetings
  • Coordinate with neighboring facilities. They can play a pivotal role in lending on-site resources to aid in recovery efforts, significantly enhancing your incident response capabilities.
  • Involve third-party partners such as legal teams, cyber insurance, and trusted incident response personnel in your preparedness efforts. Inviting them to join in on your tabletop exercises can help ensure their expertise is seamlessly integrated into your incident response strategy.
  • Establish a communications framework and immediate response protocols to minimize the impact or contain the spread. Where feasible, align resources to support affected facilities.

Health systems also benefit from collaboration with government agencies to bolster their incident response readiness for cyberattacks and other crises. Preparedness assistance from government sources is often accessible to those who invest time in building relationships and seeking guidance from local emergency services offices.

2. Fortify your finances

Understandably, cyber incident recovery efforts typically prioritize the restoration of network operations and the ongoing treatment of patients. While important, it’s also crucial to ensure your hospital has access to the necessary funds to pay bills.

There have been cases where bank accounts have been frozen and access to business accounts restricted as a precautionary measure by the bank to protect them from potentially being impacted by the breach.

To ensure that you’re able to maintain the financial stability of your healthcare organization during and after a cyber attack, it’s essential to involve your Chief Financial Officer (CFO) and Chief Human Resources Officer (CHRO) in your cybersecurity incident response planning.

An important question for these teams to consider is: If your timekeeping solutions become inoperative due to a cyber incident, what arrangements has your healthcare organization made to ensure the fulfillment of operating expenses?

3. Consider continuity of care

The cyber attack’s disruptions to critical hospital functions highlight the indispensable role that technology plays in modern healthcare delivery. To ensure continuity of care, it’s a good practice to identify your essential services and put backup measures in place. This way, even in the face of a significant cyber incident, you’ll increase the likelihood that your organization can continue offering care to patients, even in a diminished capacity.

For example, some hospitals keep a packet of paper documents for when digital systems are down. If you employ this procedure, make sure these packets can be easily copied as you may need to rely on this approach for a longer duration if necessary. With that in mind, consider that printing might not be an option during such incidents, so making copies or running to a copy store could be a practical contingency.

The key is to be prepared to keep your healthcare services running smoothly.

4. Support your staff

One common challenge during a cyber attack on a hospital is the disruption and strain it places on human resources. In some remote locations, the option to divert patients to a nearby facility may not be feasible, and that’s where volunteers can step in to provide valuable support. For example, volunteers can help by focusing on administrative tasks, allowing doctors and nurses to shoulder a greater load of active, hands-on patient care and monitoring.

Building strong relationships with neighboring hospitals and medical offices can also prove invaluable. These connections can provide much-needed support, not only in terms of IT resources but also for medical personnel. Additionally, it’s worth exploring partnerships with local colleges and trade schools that offer IT and Nursing programs. You may find willing and capable individuals who are eager to lend a helping hand in such critical situations, further bolstering your response capabilities.

5. Be cautious in your communications

At some point during a cybersecurity incident, your public affairs or marketing team will need to communicate with the community, beyond the obligatory notifications to organizations like the Department of Health & Human Services (HHS) and the Office for Civil Rights (OCR).

Effective and transparent communication is crucial when managing a cybersecurity incident—and the details and narrative matter. Keep outward-facing messages brief, factual, and straightforward to prevent the need for later corrections.

Patience is also important. While each situation varies, typically impacted parties receive notifications within 2-4 weeks following the initial declaration of an incident.

For guidance, consult your legal team or consider specialized crisis communication teams (offered by some insurance companies), and refrain from prematurely signaling an “all-clear” if the situation is still uncertain.

 6. Set realistic expectations

In the event of a cyber attack on your healthcare organization, various government agencies will have questions. Embrace this reality and collaborate closely with your legal team and advisors to formulate an appropriate response.

It’s also worth noting that it’s good to manage expectations regarding law enforcement, including local, state, and federal agencies. Their primary involvement usually occurs after the fact to support any cases against the responsible threat group. Additionally, they may provide valuable indicators of compromise to aid forensic and response teams.

However, it’s important to understand that their involvement typically concludes at this point. While there can be exceptions based on specific circumstances, it’s advisable to view any additional support beyond what was mentioned as a potential opportunity, rather than an expectation.

How people, process, and preparedness lead to better cyber protection

The increasing frequency and severity of cyberattacks targeting healthcare organizations indicate that a significant incident is a question of “when,” not “if.”

To safeguard patient care and data, healthcare organizations must foster collaboration with government agencies, share insights, and consistently

While the insights provided above are critical components of the cybersecurity puzzle, the primary takeaway is that cybersecurity incident response is a collective effort, not just the responsibility of the IT department.

Incident response activities should also start long before an actual cyber attack. Whether an incident spans a month or more depends heavily on an organization’s preparedness level.

In addition to robust administrative components, the effectiveness of monitoring, comprehensive log retention, dependable backups, and reliable endpoint detection and response technologies all play pivotal roles in expediting an organization’s ability to swiftly return to its primary mission: delivering quality healthcare to the community.

For insights from another real-life cyber incident, check out our on-demand webinar, From crisis to recovery: Lessons learned from a hospital’s ransomware attack.