In April of this year, Tenant Health, one of the US’s largest hospital care service providers, fell victim to a cybersecurity attack that led to weeks of interruption and cost $100 million in damages. Last May, Scripps Health suffered an attack that halted operations for a month and cost $112.7 million in lost revenue and remediation. The year prior, the University of Vermont Health Network experienced over five weeks of downtime due to a ransomware attack, resulting in more than $63 million in mitigation costs.
What do these three systems have in common? In addition to facing the unfortunate impact of a cybersecurity attack, each organization experienced the detrimental effects of extended downtime. In the past, it was not common for a breach to leave organizations sidelined for more than three days. However, in our current environment, three days have turned into weeks, resulting in major operational disruptions. Critical applications, medical devices, protected health information (PHI), patient safety, and lives are all at risk when extended downtime occurs. The question is, are you and your team prepared? This article explores three questions to consider when preparing for extended downtime.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
Question 1: What does extended downtime look like for each department?
The first question to consider is what is the repercussion of extended downtime? When consulting with clients, I review their latest departmental business continuity plans (BCP) and business impact analysis (BIA). The BIA is the exercise that identifies critical applications and the impacts of downtime. It is imperative to bring department leaders together to walk through a timeline of operations without automated processes. Most departmental BCPs are based on a timeframe of up to three days of downtime and need to extend to four to five weeks.
Extended downtime can play out in various ways. If medical devices are down, there could be a need to divert patients to other healthcare facilities for chemo, dialysis, ICU, emergency services, and so forth. Insurance payers no longer accept hard copy claims, and even if they did, coding is automated by your electronic medical record (EMR) system. Healthcare billers are no longer trained on how to code claims manually. Not being able to send electronic claims will impact cash flow. In addition, if the payroll applications are down, there is a significant impact on processes to pay employees. If the Accounts Payable (AP) system is down, there is an impact on paying critical third-party vendors for essential services. Other aspects of an extended downtime include knowing when to involve legal teams and outside agencies such as the FBI and local police. Imagine the chaos that could occur if a well-defined plan for extended downtime is not in place.
Question 2: How do I conduct a Business Impact Analysis?
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
A BIA is critical to evaluating any downtime period’s effects on your organization and must be updated periodically for change management. The process of establishing a BIA includes identifying critical applications and documenting:
- Business activity affected
- Potential operational loss
- Potential financial loss
- Minimum time needed to recover operations
- Other critical application dependencies
These factors will vary based on the type and severity of a disaster. The operational loss could be the inability to conduct business as usual. Financial loss varies widely but can sometimes range from $3000 to $5000 an hour in revenue loss for your organization. An updated, accurate BIA will help you assess which controls need to be implemented to reduce the risk of extended downtimes, such as a Cloud backup or colocation redundancies.
Question 3: Why is education so important?
Unfortunately, there is no silver bullet to ensure cybersecurity. However, education and preparation are essential. While training isn’t a guaranteed safeguard against attack, it is an effective tool to arm your team to know how to respond. I highly recommend tabletop exercises, such as discussing crisis scenarios with various departments and the potential implications for each. What might seem daunting to discuss initially will come into practice should a crisis occur.
Many educational tactics help your team to be better prepared. Along with tabletop exercises, organizations should consistently provide engaging educational events such as webinars, email reminders, video tutorials, and in-person speaker sessions. The National Initiative for Cybersecurity Careers and Studies offers various free tools, as does the Office of the National Coordinator (ONC) for Health Information Technology.
Conclusion
Over the years, technology has evolved in ways that are essential to efficient, effective business operations. However, risk factors remain a reality. Awareness of those factors and ways to combat them requires thinking through the scenarios, educating your staff, and continually updating your BIA and BCPs. Plan today so you can minimize chaos when an incident occurs.
Photo: JuSun, Getty Images
In 2002, serving as Chief Information Security Officer (CISO) for a major healthcare system in New Jersey, Gerry knew he had a problem to solve. After years of manually documenting assessments and trying to keep track of thousands of pieces of data, it was time to build a better solution.
Using his experience as a CISO and HIPAA consultant, Gerry worked with his team to create a structured, automated tool for managing governance, risk and compliance in healthcare, and other industries.
Today, ComplyAssistant provides GRC software and healthcare cybersecurity service solutions to over 100 healthcare organizations of all sizes, focusing on HIPAA-HITECH-OMNIBUS, PCI, NIST, and other federal and state healthcare regulations.
Gerry currently co-chairs the NJ HIMSS Privacy, Security, and Compliance Committee and participates in national and local chapter events that include NY, NJ, and Delaware Valley. Gerry regularly writes for healthcare compliance and health IT publications. He’s an active member, contributor, and speaker at industry association events with HIMSS, HFMA, NJPCA, NJAMHAA, and HCCA.
