A cybersecurity incident used to be what kept healthcare leaders awake at night. And now things have gotten even worse, particularly in light of the recent large-scale attacks — one of which had facilities offline for weeks – leaving them anxious during the daytime as well.
These days, leaders are “terrified,” according to Chuck Christian (VP of Technology and CTO, Franciscan Health) during a panel discussion. “We’ve had a couple of local health systems hit over the last five years. I’m constantly reminded that it’s not a matter of if, it’s a matter of when.”
And that means organizations need to get tougher — not just in terms of cyber defense, but also business continuity planning.
“We’re seeing a lot of incredibly disruptive events that last a long period of time,” leaving a lasting impact on infrastructure and support areas, not to mention patient care, said Keith Duemling (Senior Director of Cybersecurity Technology Protection, Cleveland Clinic) who also spoke, along with Zahid Rathore (SVP, Healthlink Advisors). “It has reaffirmed the need to really intensify how we approach this.”
Of course, IT and security teams are already well aware of the devastating consequences of cyber events. The challenge, according to Rathore, is in convincing others — especially those in the C-suite — of the need to invest.
“Oftentimes, it seems like they’re pushing a rock uphill and trying to convince the business that they need to invest,” he said. “If the system is down for 30 days, we need to engage the business to define what they will need. This can’t be an IT-led initiative.”
Christian agreed, noting that for those who don’t live and breathe technology and security, “it’s not top of mind how they would run the business if we lost a system,” he said. “My job is to make sure the systems are available for as close to 100 percent of the time as possible.”
An “eye-opening” experience
Doing so, however, requires a shift away from traditional cybersecurity practices, which often focused on short-term downtimes. “That doesn’t work when you’re down for 30 days,” said Christian. It also means looking at other systems that are affected, including ERP, financials, and supply chain, rather than just zeroing in on the EHR.
“You have to figure out how you’re going to run the business without these systems, and make sure it’s practiced enough so that people understand what their roles are,” said Christian. Just as organizations conduct mass casualty drills, the same should happen with outages. The results, he noted, can be eye-opening.
In fact, it was during a network switch failure at his former organization (St. Francis Hospital) that Christian became aware of just how unprepared some physicians were for that particular scenario. “None of the ER staff had experienced being without the system,” he recalled. “They felt they couldn’t take care of patients. And I said, ‘hang on. We did this for decades before we had computer systems. You can get runners to run orders to the lab. The lab can still process them on automated instruments and run the printouts of the instruments back down to the emergency room.’”
It was a classic example of the old adage, “every battle plan is successful until you engage the enemy,” Christian noted. It’s also further validation that when it comes to business continuity planning, organizations need to be doing more.
Duemling concurred, noting, “this isn’t so much a business continuity plan. This is a business continuity strategy with multiple aspects that exist under it,” he said. “We need a strategy to get this under control to the best of our ability.”
Best Practices
During the conversation, the panelists discussed the steps they’re taking to help prepare their teams for catastrophic events and ensure they’re able to continue to provide care if, and when, they do occur.
- Go beyond tabletops. Tabletop exercises can be extremely valuable, but that alone isn’t enough, according to Rathore. “It’s one important tool, but it’s not the be-all, end-all.” Teams need to know — and document — what the different businesses need to survive a downtime, and what are the possible alternatives, whether it’s a cloud-based solution, an interface with labs, or reverting to paper. “You don’t want an actual event to be the first time they go through that,” he noted. “That gets solved in a tabletop. But saying, ‘we’ve relieved our responsibility because we’ve done a proper tabletop’ isn’t sufficient.”
- Drill down. So what is sufficient? Duemling advised running a drill in which frontline caregivers walk through the process of how to maintain operations without Epic for a prolonged period of time. “We have to continue to move that conversation out of Teams and Zoom, and into real areas where the real care is delivered so that we can gain that higher level of comfort,” he said. “It’s the same thing we do with quality and patient safety.”
- Expand training. Although it may seem counterintuitive in today’s electronic world, it’s important for providers to know how to handwrite a medical record, said Rathore. “It’s another aspect of learning and training,” he noted. “In addition to downtime procedures, what are the fundamentals of capturing a legal record so that when the dust settles, the health system can recover financially?” Of course, patient care is paramount, but the financial implications of being down for 30 days must also be considered. “How can you minimize that impact?”
Duemling agreed, adding that while secondary and tertiary backup systems are critical, “we also have to get into the practice of making sure our caregivers have the knowledge and equipment to be able to sustain operations,” he said.
Business continuity, he continued, isn’t about a quick fix. “It’s not about investing in technology that gets you back up in 10 minutes, but about having a mature process, especially if what you face doesn’t fall into the mold of what you’ve trained for.” The goal is to take a “chaotic event and turn it into something we can manage.”
“Everyone’s responsibility”
For that to happen, it needs to truly be a ‘we’ situation, according to Christian. “Business continuity is just like security,” he said. “It doesn’t reside with one person or one department. It’s everybody’s responsibility.” Part of that responsibility is to facilitate conversations with leaders from across the organization.
At Franciscan Health, for example, every senior leadership meeting includes discussions around “how we’re going to prepare and become resilient,” he said, noting that it’s particularly critical to involve the CFO. “They understand the mathematics; the amount of revenue that we generate on a daily basis and what it would cost us to have to cancel surgeries and other important opportunities to service our patient population.”
Lost revenue isn’t something anyone wants to deal with, particularly given the financial challenges in healthcare. “People are still going to get sick,” said Christian. Therefore, “every leader in the organization has a responsibility to understand how they’re going to run their business unit, department, or facility without systems, and still take care of our patients.”
To view the archive of this webinar — Rethinking Business Responsibility in the Ransomware-focused Catastrophic Downtime Planning (Sponsored by Healthlink Advisors) — please click here.
Share Your Thoughts
You must be logged in to post a comment.