Cyberattacks Are on the Rise. This New Resource Can Boost Hospital Preparedness.

March 02, 2021

Especially during COVID-19, hospitals and patients, alike, are increasingly leveraging on technology to conduct everything from patient visits to reservations for vaccination. With this enhanced reliance on digital communications, cybersecurity is vital to preserving the normal functioning of health care organizations and protecting patient information. 

The effects of a cyberattack can range in severity and can include:

• Loss of patient data or payment information
• Theft of intellectual property
• Exploitation of medical device vulnerabilities that lead to disruption of functionality or could cause a patient physical or mental harm

Ransomware—software that locks user information until the owner pays a sum—has become one of the most common methods of cyberattacks during recent years. Ransomware threatens the availability of critical systems, leaving organizations unable to provide services or products relied upon by patients and health professionals.

While larger organizations have dedicated resources to improve their resiliency, some small- to medium-sized organizations may lack the scale to staff dedicated teams of cybersecurity experts that can assist with responding to and mitigating a cyberattack. Recently, the U.S. Department of Health and Human Services Office of the Assistant Secretary for Preparedness and Response (ASPR) released Healthcare System Cybersecurity: Readiness and Response Considerations, a resource to help hospitals and health systems effectively care for patients while maintaining business practices and readiness in the event that a cybersecurity incident impacts the health care operational environment.

The planning document provides resourceful links as it relates to cyberattacks under the four phases of emergency management:

• Preparedness
• Mitigation
• Response
• Recovery

An accompany ASPR webinar also walks users through the document.

Hospitals and health systems are encouraged to take several steps when reporting a cyberattack, including:

• Contacting the Federal Bureau of Investigation with the date, time, and location of the incident; type of activity; the number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact
• Contacting the Cybersecurity and Infrastructure Security Agency to request incident response resources or technical assistance related to these threats

HAP’s emergency management team continues to monitor information about emerging cyber threats and cyberattacks, and will inform members about updates. If your hospital would like additional preparations or assessments, please reach out to Joe Tibbs, president of HAPevolve, to get comprehensive support for your cybersecurity needs.