Questions and Answers from the Webinar
Prior to the ransomware event, were you HITRUST certified? Are you pursuing this after the event?
John Gaede: No, we have not filed for HITRUST certification and we do not have immediate plans to pursue this at this time given current resources and budgets.
Did your most recent risk assessment include the possibility of a ransomware threat manifesting in your environment?
John Gaede: No it did not.
If so, what were the existing controls in place and the recommended additional controls to meet the risk retention threshold for the organization?
John Gaede: Key for us was getting our EDR configured fully and promoted across the environment holistically; both of which have been completed. Was a risk owner designated for this risk and did they approve the residual risk? My guess, is that our next risk assessment would in fact include the ransomware conversation as you are noting here. As an organization we will have to tackle our risk level. There is some sentiment that we have to balance risks and associated IT investments. Our approach will involve People, Process and Technology.
What information was not available when responding to the incident that you would most want available when responding to the next incident?
John Gaede: I would say two key items. First, given the circumstances of this event, not having the right players in place for incident response related to our cyber insurance cost us some precious time in our recovery. Second, having a platform to communicate across the enterprise is the most important link to a successful recovery. This is direct feedback from our Clinicians - Doctors, Nurses, Pharmacists, Clinical Laboratory Scientists, etc. Once we got into somewhat of a grove on paper, our biggest challenge was not having good communication systems in place.
How did you determine what systems to bring back up first?
John Gaede: First and foremost, our core customer did - our patients. We prioritized patient care first. Within the area of patient care, we determined that radiation oncology moved to the top. We also looked at patient safety within clinical applications. We considered what areas functioning on paper put the patients more at risk. We did have to change the prioritized list multiple times. An example was bringing up Johnson Controls for facility services so we could heat our sidewalks so that patients could get into the Hospital without ice buildup.
How did using app virtualization for EHR delivery help in recovery efforts (v.s. no app virtualization)?
John Gaede: If I am understanding the question correctly, app virtualization (ie running apps through Citirx as an example) rather than doing fat client installs helped with more rapid deployment of applications. We are not currently running full VDI but with more remote work and given our event, we are looking into this and will move forward when we get budget and resource alignment. App virtualization makes good sense at many levels.
What would you have done to prepare your health system to continue providing care if you had a more robust physician informaticist population?
John Gaede: If we had additional resources in the physician informaticist area, we would have had them help us primarily educate Providers enterprise wide on correct documentation. Getting correct information on the paper record is key to the back entry process - billing, signatures, dates of service, diagnosis codes. All the information necessary to close out the medical record from a billing, compliance and clinical data integrity perspective. Many Providers had not worked in a paper environment before other than short downtimes resulting in huge delays in the recovery process.
In hindsight, what measures would you have taken to prepare your system?
John Gaede: First and foremost, have far more robust playbooks (more than just the downtime policy) for each operational area of the hospital. I am talking about Nursing - Medical Surgical, Intensive Care Units, Laboratory, the Emergency Department, Pharmacy, Diagnostic Imaging etc. Especially regarding continuing care. Exactly to the point. Our downtime process on paper worked the first 24-72 hours, then they broke down. We no longer had the human resources and supplies to manage paper processes for the extended periods of time. Information Services is in the process of working with each operational department to put their key learnings and playbooks into place. It is as practical as having ways to shuffle paper correctly for the medical record.
Preventing an Event:
How do you measure your effectiveness in practice scenarios?
Alfonso Powers: There are some specific areas questions are important to answer during the progress of a scenario.
How organized was the formation of roles when the scenario was activated? How long did it take to establish a chain-of-command and communication paths?
Was the documented incident response plan followed and relevant?
Was there a documented list of critical applications necessary to sustain business operations? Are the recovery steps of those applications documented?
How was coordination between the teams as the scenario unfolded?
We have a technical playbook but need to mature our patient care side. Is there a playbook for the questions regarding business and clinical decisions?
Alfonso Powers: Unfortunately, there is not a universal playbook that can be comprehensive for all health systems. The best way to develop a playbook and mature the processes is to regularly do preparation exercises with a qualified third-party that has the experience. Incident response firms with a niche in responding to healthcare ransomware events would be a great place to start. CISA also offers some great services complimentary to non-profits that are worth exploring.
What are the top 3 warning signs your system has been compromised?
Alfonso Powers: Specifically, to ransomware, here are some warning signs to watch for that should be monitored and alerted on:
If there was one thing you could have adapted or enforced before the attack, what would it have been?
Alfonso Powers: Adapted – Incident response automation to act during behavioral anomalous detection. Endpoint detection and response technologies should be configured to isolate an endpoint at the first sign of a behavioral anomalous detection; ideally, this should be accomplished with an automation platform and not a manual process.
Enforced – No exception approach to content filtering, email security and endpoint protection. Block all cloud hosted file sharing sites by category, do not whitelist email addresses or whole domains, and always have the endpoint protection software’s enforcement mode enabled.
Collaborating in Healthcare:
Are those hit by ransomware sharing and collaborating with other breach victims to enhance the overall knowledge-base of recovery techniques?
Alfonso Powers: Many of the top incident response firms will occasionally write up case studies on specific breaches without going into a lot of detail that would be confidential. The best ways to be prepared is to regularly go through table top exercises with qualified third-parties and obtain an incident response retainer with a reputable firm. Incident response retainers often include the ability to use the funds towards other cybersecurity readiness services if not used for a cybersecurity incident during the term.
How can healthcare leaders share the realities of cybersecurity risks and breaches with one another without keying in bad actors to our strategies and protective measures?
Alfonso Powers: Probably the best way is to join specific groups that exist with a focus on healthcare. HIMMS and AEHIS are two that are specific to healthcare but also include spin off groups that discuss security. Additionally, several VARS have dedicated groups to healthcare with a discipline in cybersecurity.
LinkedIn often has specific groups for healthcare IT leaders with a focus on cybersecurity. Make sure the groups are invite only that validate a potential member before allowing access to the group.
[pdf-embedder url="https://thisweekhealth.com/wp-content/uploads/2021/10/Network-Re-Connect_Generic-Draft-Version_1.pdf" title="Network Re-Connect_Generic Draft Version_1"]