During the past few years, healthcare organizations have dedicated a great deal of time and attention to ransomware prevention. Given the fact that around two-thirds of organizations experienced an attack in 2020 — marking a significant increase from the previous year, according to HIPAA Journal — the investment is certainly justified.
There is, however, a downside. With so many resources allocated to protecting EHRs, biomedical devices can become particularly vulnerable to cyberattacks, said Todd Bell, CISO & Executive Director of IT Compliance with Valleywise Health, who believes devices are “the next frontier” for the hackers. For leaders, the pressure is on to provide “better visibility” into devices, he said during a recent panel discussion, which also included Rich Temple (CIO, Deborah Heart and Lung Center), Theresa Meadows (CIO, Cook Children’s Health Care System), and John Gomez (CEO, Sensato).
Because breaches involving the EHR can have a widespread impact and pose a more widespread threat to patient care, organizations tend to focus heavily on having the right business continuity plans and safeguards in place. The same, however, can’t be said for biomedical devices. “We do our best to keep up with patching, especially if it’s an infusion pump, but for a lot of hospitals, it’s kind of a blind spot,” noted Bell. “We’ve glossed over medical devices.”
Temple concurred, adding that downtime plans for biomedical devices “are not nearly as fleshed out as the full EHR plans,” even though a cyberattack can cause “irreparable harm.”
During the discussion, the panelists discussed their strategies for creating a solid business continuity plan, including who needs to lead it, what elements need to be included, and the hurdles that will likely present themselves.
“Education needs to happen”
The first component in formulating a plan is to gain buy-in which starts by educating both teams and leadership on why it’s so critical. One way is through tabletop exercises, which can be eye-opening, said Gomez. Sensato, a healthcare-specific cybersecurity firm, specializes in pen testing, and has honed its expertise by working with the FDA and Department of Homeland Security.
“When you move somebody through the weeks after an attack, and all the smart pumps are still down, they start to realize this is a much bigger issue than they thought,” he said. For example, if one smart pump is taken down, every single pump must be locked down until it has been cleared by forensic teams, which could take weeks — especially for hospitals that have hundreds of pumps in use. “We cannot, from a patient safety perspective, trust those pumps.”
Patients, however, still need to be cared for, which presents an extremely challenging situation for nurses who now have to “mentally calculate IV drips and distribute medications,” which most nurses haven’t done in many years — and some have never done, said Meadows. “We have to start thinking more globally about what we would do if that were to happen,” she noted.
Like many organizations, Cook Children’s is building a team to lead downtime prevention and recovery efforts and develop guidelines to follow when equipment or software is down. The problem, she has found, is that a surprising number of clinicians don’t realize how much technology they use on a daily basis. In fact, when Meadows — a nurse by background — has asked nurses to identify all of the potential cybersecurity targets in a patient’s room, most can name the obvious culprits such as the EHR, COWs or IV pumps, but few realize that smart beds and the devices being used by patients carry serious risks.
“There’s a ton of education that needs to happen,” she said, noting that leaders need to facilitate discussions and walk through different scenarios. “For example, ‘If you don’t have an IV pump, what’s the next step? Are we going to lease 500 new pumps? Are we going to stop taking patients to the ICU?’ We need to lead folks through the conversation and use more of our business hat and less of our IT hat to help them think through their options. Because we haven’t taken the time to do that. There’s not enough education for frontline staff on the risks with the medical devices they use each day.”
The question is who needs to be involved in these critical discussions. Although some have tapped the emergency management director, these individuals may lack the skillset to understand the implications of cybersecurity incidents, said Meadows.
On the other hand, clinical and nursing informatics leaders are trained to help users through workflow challenges, and can leverage their expertise to show nurses, doctors, and pharmacists how technology is used in the current processes, then “pull out those pieces and talk about how we can do something different,” she said. “We have to think about these trusted roles we have and get them more involved, because they speak the lingo. They can explain cybersecurity issues in a much less intimidating way.”
Temple has a similar strategy at Deborah, where both biomed and nursing leaders play a role in training clinical staff to “look for any aberrations in how pumps or other medical devices are working, and to report those right away,” he noted. “We need to engage nurses on the ground,” and instill a philosophy of ‘if you see something, say something’ throughout the organization.
“It will get out”
Once something is said, leaders need to act quickly, said Temple. “If a medical device, or a large number of devices, is disabled for even a small amount of time, you now have an immediate patient safety issue and you have to treat it with a level of urgency, with the recognition that minutes and even seconds count,” he noted. “We have to attack those right away.”
Part of that strategy is having a procedure for notifying all relevant parties as quickly as possible to avoid a repeat of the 2019 cyberattack at Springhill Medical Center that may have contributed to the death of a newborn. According to the Wall Street Journal, the hospital’s IT system was offline for more than three weeks, preventing the attending OB from accessing critical data about the patient. The patient’s mother was also allegedly kept in the dark, claiming in a lawsuit that she wasn’t aware of the ransomware incident.
For leaders, the case has served as a cautionary tale, according to Temple. “It really reinforced the need to be as transparent as we can with our community and with our stakeholders as to what is happening and how we’re managing it,” he said. “Obviously there needs to be some control over messaging. You want to make sure rumors don’t get out, but you also don’t want to keep it under your hat, because it will get out.”
“Rip off the band-aid”
And although cases differ quite a bit, leaders must make it a priority to be forthright and tactful, which requires a coordinated incident response plan. “We have to have some underpinnings in terms of how do we engage with internal and external stakeholders, and how do we make sure we don’t have any unanticipated situations,” Temple noted.
Bell agreed, cautioning colleagues to avoid the decision paralysis that often occurs with cybersecurity incidents. “I see a time gap between when it happened and when we communicate it,” he said, which can be the result of PR teams attempting to downplay the event. “Even though they might have the best intentions, I think it’s very important to validate and communicate quickly — rip off the band-aid.”
And although no organization is immune to an attack, those that focus on readiness and resilience will have a leg up, he noted. At Valleywise, safety rounds are regularly conducted, and procedures are in place to immediately notify executive leadership and assign clinical leaders to monitor patients in the event of a breach.
“We’re held to high standards to make sure that doesn’t happen here,” he added. “If you have good business continuity planning and good processes around critical items, it can be prevented.”
“It can’t just be IT”
And that plan has to be driven from the ground up, according to Temple. “It’s not sufficient to have a plan that starts and ends with people in leadership. You need to have people who are engaged in everyday patient care, who are interacting with patients, who know the detailed processes, and who know how things work.”
This, however, is no easy task. With many hospitals crippled by staffing shortages and turnover, the idea of adding more to already overburdened staff isn’t exactly appealing. But if disaster recovery planning isn’t a priority, it will only add to the workload, he noted. “You need to have those plans. But don’t do it in a leadership vacuum. Make sure those are percolating down and that you’re hearing from the people who are going to be most directly impacted.”
Most importantly, those who don’t have a solid business continuity plan need to simply get moving, said Meadows. “Part of the issue is that people don’t start preparing because it’s such a monumental task,” she noted. “You have to find a place to start and work your way through it.”
To view the archive of this webinar — Refocusing Your Medical Device Security Program Around Protecting Human Life (Sponsored by Sensato) — please click here.