How does a cyber breach in healthcare impact services and what to do about it. (A real-life account)

Medical records are often a prime target for cybercriminals as they are perceived as high value. Ransomware and social engineering attacks are just a few examples of the different ways criminals can gain access to healthcare organisations to steal healthcare data. It is therefore vital that the healthcare industry has a strong focus on cyber security behaviours, processes and controls. The impact of a breach not only directly impacts patient safety but also brings significant penalties to healthcare organisations covered under regulatory compliance standards. Why your organisation requires information security policies

Working with an experienced and strategically focused Managed IT services provider can align your business with best-practice standards, implement required controls and training and ultimately reduce the risk from malicious breaches.

What exactly is the frontline experience when a breach occurs?

The Impact of a breach in Healthcare - a frontline experience

What Happened?

On 14 May 2021, the HSE (Health Service Executive of Ireland) experienced a major ransomware cyberattack which resulted in the majority of its IT systems nationwide to go offline. By May 28th the HSE confirmed that details relating to 520 patients, including sensitive information, had been published online

It was not until June 23rd that 70% of the computer devices were back up and running and a further 3 months before 95% of systems were back in operation.

So what was it like for frontline staff?

Day 1 Immediate impact, confusion etc

On the first morning of the cyber attack, there was a state of panic and utter confusion on the hospital wards. Access to medical record database systems were closed that morning and as daily referrals to multidisciplinary teams like physiotherapy, occupational therapy, dieticians, etc. are sent online, the patients couldn't be prioritised for review. Hence, each medical chart had to be physically reviewed which resulted in a lot of time wasted when other duties were required to be carried out, like medications rounds, morning observations of blood pressure readings and activities of daily living, etc. To make matters worse, there were already staff shortages due to Covid-19 outbreaks among patients and staff so time was already short. Blood results were also unable to be accessed so there were staff constantly contacting the laboratory for urgent results of bloods or swabs, if the were any critical changes in patients' blood results then the laboratory would contact the nurse looking after the patient to inform of same. A backlog of physical printed results would be sent down but these needed to be sorted manually.

The radiology department was heavily impacted as their systems also could not be accessed. Diagnostic scans and procedures, therefore, were cancelled. Extremely vulnerable and critical oncology patients' safety was compromised as scan results were not available, therefore their chemotherapy treatment was continued for a few weeks without clinical knowledge of their current scan results as per the best clinical decision for optimal treatment.

In Intensive care, only electronic health records are used, unlike in the medical and surgical wards where handwritten notes are recorded. All patient data relating to the patients' progress and care are completed and updated regularly on the computer system which are attached to the patient's bedspace. All medical devices are connected to the IT system for quicker documentation to allow more one on one time for patient care. As a result of the cyber attack all of the critical patients' healthcare data was unable to be accessed and had the potential to result in a significant threat to patient safety. Any health changes which previously occurred could not be accessed so any staff working the day prior to the cyber attack were contacted for further information if required.

What did the breach mean for day to day services and what fallback measures were in place?

For outpatient appointments, the patient's list would normally be printed off from a database in seconds but, as a result of the breach, all the physical patient's healthcare records had to be physically reviewed to check for their follow-up appointments which were very time consuming

Waiting time at outpatient appointments was increased initially as clinicians were unable to access vital information about the patient's care and treatment. As a result, outpatient appointments and scans were then cancelled which in turn added to more delays on already overcrowded waiting lists.

Healthcare providers in a healthcare organisation, eg; primary care, where GPs were unable to order bloods so their patients were required to attend Emergency Departments for blood samples. Urine samples also couldn't be analyzed so GPs needed to treat kidney infections etc, based on the patients presenting complaint.

Months later what has the impact resulted in with relation to how technology is used (then and now)

In some departments of the hospital, PCs were removed due to the cyber security risks in fear of further infection - some of these PCs have not been restored or replaced to date which has resulted in staff queuing up to access other computers and hence taking longer to carry out duties as access to computer systems is limited with staff using the same computers. Some computer systems could previously be accessed readily but now as security measures have increased, all staff are required to log in with their own personally identifiable information and never share login details and always log out prior to leaving a computer unattended.

In efforts against a further healthcare data breach to date, the IT department is regularly sending emails to staff to remind them not to click on links from any unknown senders for fear of any further cybersecurity threats and to ensure any private data breaches are avoided or any further risk of disclosing sensitive information.

Staff Morale impacted

Clinical staff were stressed going through physical charts of patients to access only a part of the information about their care in case of any missing information. Staff were left feeling unsatisfied in their work as patients were suffering from postponed appointments and medical follow-up care. It was incredulous that patient data breaches had occurred and confidential and that sensitive information could be made readily available. Whilst staff have been greatly affected by burnout due to the unsurmountable burden of Covid-19 outbreaks within the healthcare industry, the increased pressure of such attacks on patient records and sensitive health information came as another blow and a burden to staff, as confidentiality and protected health information is paramount to the normal functioning of information technology within health organisations.

Overall impact to the health service and provision of services to the general public

Waiting lists for procedures and outpatient appointments have been most impacted by the healthcare cyber security attack and these have seen huge delays, on top of the already lengthened waiting time due to cancellations of outpatient clinics and radiology scans amid the covid-19 pandemic. Regular security awareness training is required to ensure that cybersecurity in healthcare is a critical part of the everyday functioning of all healthcare organisations.

Simple steps to secure your healthcare organisation

Your organisation should have an IT Strategy closely linked to the business plan to promote healthy alignment between the organisation's goals and the technology that helps achieve the desired outcomes

At a tactical level, every healthcare organisation should have completed at a minimum the below 7 steps and be actually working with a trusted managed services provider to reduce identified risk. Download our 15 step checklist for more best practices

Conduct a Risk Assessment

One way to remain proactive against cyber attacks is to perform risk assessments. These security risk assessments will identify vulnerabilities and weaknesses that can lead to a cybersecurity incident.

Benchmarking the organisation against standards such as NIST or Cyber Essentials is a great place to begin.

Your IT partner will evaluate each identified risk and develop a plan to mitigate these potential security concerns. Conducting these assessments will raise awareness amongst key stakeholders. Furthermore, they provide a tactical roadmap for reducing risk and ultimately limiting the chance of data breaches while also helping you stay in compliance with regulations such as the General Data Protection Regulation (GDPR)

Implement Device Encryption

Using device encryption is essential in keeping data out of the hands of cybercriminals. If not already in place, your IT partner should deploy the built-in encryption functionality in Windows 10 and above.

If your new computers are not part of a secure build process, you should request this is completed at the time of purchase.

If however, you're having to prompt these instructions to your provider, you might need to consider the relationship as this should be proactively provided.

Use Multi-Factor Authentication

Using a username and password combination is simply not effective to keep accounts secure in today's age of cyber threats. Implementing multi-factor authentication is critical in providing an extra layer of security. Biometrics can also further boost security and make it increasingly difficult for hackers to access employee accounts.

Often overlooked is the enforcement of MFA, while enabling MFA is a great step it must be enforced via a policy that removes human error from accidentally leaving an account unprotected.

Check with your IT support company that MFA is both enabled and enforced. What's the difference between MFA and 2FA?

Segregation

Reduce the attack surface of your critical systems by ensuring networks are segregated from each other. Everything from CCTV to Access Control to Radios are now on the network.

It is therefore critical to ensure there is proper network traffic segregation and rules to ensure that if one of these devices is breached it can not cross the network and access sensitive information

Ask your IT support provider to send you the live network diagram highlighting the separation of networks.

Stay up to date and ensure you have continual Patching

Retaining old computers running Windows 7 operating systems might appear to be financially smart however it is these very computers that pose a significant risk of being compromised as they are no longer receiving updates for critical security risks.

Furthermore, not keeping your systems like Windows 10 or 11 on the latest feature releases exposes the organisation to potential compromise.

Implement Mobile Device Management

Mobile devices are often used in healthcare facilities due to their convenience. However, we frequently find that these devices are not protected or have no standards applied.

With an increase in malware and compromises occurring on mobile devices, it's essential that all mobile devices with sensitive information (including email) are part of a Mobile Device Management system (MDM)

Mobile device management allows the organisation to enforce basic standards such as the requirement of a passcode to unlock the device, encryption and should the worst happen and the drive is stolen it can be remotely wiped of the healthcare information

Provide Ongoing Training Sessions

With 90% of breaches beginning with the end-user, educating your staff is critical to staying ahead of cyber threats. Your IT service provider can provide training sessions and ongoing cyber security awareness training to help your team avoid making common mistakes such as opening suspicious emails, clicking on links and giving away login credentials.

We recommend starting with a Phishing test and a risk assessment, your provider can run this for free and test all of your users.

Scheduling ongoing training sessions is important as new cyber threats continue to evolve at a rapid pace. These sessions are a great way to create a work culture that remains vigilant against potential cyber-attacks. How to create a cyber security awareness training programme?

Final Thoughts

Technology plays a big role throughout the healthcare industry. However, cyber threats are a major issue impacting all medical facilities.

Working with a qualified managed IT services provider is key to raising technical standards, policy compliance and fostering a culture of cyber risk awareness. How to choose a Managed Services Provider

These tactics are very useful but they must be tied to an overall strategy as technology has become critical in the diagnosis, treatment and care of patients.

Technology permits us all to achieve productivity and efficacies that were only dreamt about a decade or 2 ago, however with these enhancements comes a responsibility to protect every aspect of the organisation, its staff and most importantly the patients.

We have seen with the HSE the severe and long-lasting impact an incident has on healthcare. Don't be the next target!

Conducting risk assessments, using device encryption, and creating a mobile device policy are just a few of the different ways an IT service provider can improve cybersecurity and help you meet stringent compliance regulations.

We’d love to know more about your healthcare organisation and help with any questions, when you’re ready, just book a meeting below!