COMMENTARY: What happens when a stroke victim gets rushed to a hospital, only to find imaging offline because of a cyberattack?In healthcare, first responders must make medical decisions dealing with life or death situations in seconds. But when a healthcare organization falls victim to ransomware, the clinical disruptions may go on for weeks.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The impact of ransomware extends far beyond IT. Clinical operations rely on digital technologies. Medical devices fail when the facility loses internet connectivity. Doctors and nurses lose access to patient records. According to a study by the American Economic Association, in-hospital mortality among already-admitted patients rises by an estimated 34% to 38% during the initial phase of a ransomware attack. So, cyberattacks directly harm a healthcare organization’s patient care mission.Traditional business continuity and IT disaster recovery plans often fail after a cyberattack because they’re built for physical disasters, not digital ones. They rely on geographic dispersion, but in an attack, it’s trust in systems, not buildings, that’s destroyed. Because backup sites are usually integrated with production, attackers can compromise both, leaving no trusted environment for teams to recover. And despite “immutable” backup claims, attackers can frequently corrupt or erase backup data, further undermining recovery.There are few shortcuts to restoring systems post-attack. Teams must forensically examine production environments to determine how the attackers got in, what they created or altered and which backups are uninfected. Without the right tools and preparations, this process can take longer than it should.Healthcare boards and senior leaders, even when under-resourced and triaging, must confront how completely care now depends on IT systems and automation.There’s no paper-based fallback for radiation oncology, and paper is an unrealistic substitute for EHR workflows, lab and imaging distribution, medication dispensing or scheduling. Manual monitoring, added physical security risks and loss of facilities automation create an unsustainable load on staff trying to run a modern hospital on paper.IT spent decades developing a body of knowledge around physical disaster recovery, and today few organizations operate without a disaster recovery plan. However, these plans are rarely invoked, while cyberattacks happen weekly. Therefore, healthcare organizations should consider prioritizing cyber resilience, even at the expense of traditional disaster recovery.Importantly, teams must complete and implement this planning before a cyber incident occurs. In this way, cyber resilience becomes an operational capability that we can count on when a ransomware attack materializes.Security keeps attackers out. Resilience helps organizations bounce back faster. Both are necessary. Here are five pointers:There’s no question that the planning and engineering required represent a significant investment of resources and time from a cross-functional team from clinical, operational and technology disciplines.However, given the scale of patient and financial impacts of an attack, teams must implement cyber resilience measures long before an attack occurs. Create a body of reporting documents on how health systems can apply hard-won lessons from previous cyberattacks at other hospitals, including practical steps that demand more leadership focus than capital spending. In healthcare, resilience gets measured by the continuity of care in a crisis. Unprotected, an organization may default on its patient care mission. By investing in cyber resilience, the same health system can reduce these impacts to patients and safeguard its critical finances. Josh Howell, Healthcare CTO, RubrikSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Don’t rely on security alone: Resilience alone means constant firefighting. The isolated recovery environment (IRE) resides where immutable backups become a minimally viable working hospital again, in a rehearsed order, on a proven timeline, while the deliberate forensic process of restoring trust in production continues.
- Ensure backups survive: In this era, protecting backup data requires a clean sheet re-design from the ground up to reliably negate situations where an attacker can obtain Domain Admin level access and do anything IT can do. Ask the question: Are we 100% sure that an attacker with our own Domain Admin credentials and valid MFA codes could not harm our backup infrastructure or destroy data? Assume vendor claims are false until proven under real attack conditions. Contract third parties to independently audit backup infrastructure for true immutability.
- Plan to “find clean” quickly: After an attack, does the company want to restore all its data? Most health systems have 100+ petabytes of data in various forms and locations. Conduct threat hunting simulations on the entire data estate to determine how long it would take to “find clean” (restore points without malware) under real-world conditions.
- Recover in priority order: Identity and Active Directory first. Internal communications next to aid in coordination. Clinical applications after that, sequenced by patient impact. Orchestrated recovery automation makes this a runbook, not a guess.
- Run automated drills routinely: Fully-automated recovery drills inside the IRE beat consultant-led tabletop exercises every time. Repeated execution represents the only proof that the plan works reliably.
