Healthcare organizations need to ask themselves how prepared they are for this type of interruption. They need to determine if they have an up-to-date plan, ascertain if plan documents and forms are easily accessible both on and off network in the event of a network loss and ensure staff is properly trained and proficient in the use of downtime tools and procedures. — Gretchen Brummel, PharmD, Consulting Solutions Director, Pharmacy Solutions
Cybersecurity is an ever-present and ever-growing concern facing the healthcare industry. With healthcare consistently among the top three industries targeted for a cyberattack, the need to plan and prepare for one of these events is increasingly critical.
Attacks can range from phishing, where hackers collect internal data from employees through email scams, to data breaches, where sensitive patient and organizational data is compromised, or ransomware, where attackers shut an organization's network down or obtain patient or employee records and hold it for ransom. In 2020, Ransomware attacks cost healthcare organizations $20.8 billion.
It's a scenario all too real for Randy Gerwitz, RPh, senior consulting solutions director, pharmacy solutions, who experienced firsthand a ransomware event that shut down his employer's networks.
LISTEN: Randy talks about managing a cyberattack
Everything from writing prescriptions, printing documents, patient room scheduling, and payroll was disrupted. The hospital could not access patient records and much of the pharmacy team's processes had to shift to paper and pen. Team members had to learn new methods for accomplishing everyday tasks and re-learn old methods that had long ago been replaced by digital technology.
"You really don't realize the extent of how intertwined all of your systems are, so even something as simple as using a network printer can become a challenge," he said. "A lot of little things turn into big deals very quickly."
And the nightmare usually doesn't end overnight or even within a matter of weeks or months. Quite often, a cyber event can take nearly a year to recover from, including getting systems back up and running, filing insurance claims and reviewing payroll.
"Payroll systems are generally electronic now with many healthcare employees clocking in and out of shifts, and in a cyber event, you may not have access to these payroll systems, but you still have to pay employees regardless," he said. "This means that as a healthcare organization, you may have to make some assumptions around payroll and then balance budgets and payroll once everything goes back to normal."
Gerwitz says healthcare systems need to be proactive in their attempts to combat and reduce cybersecurity attacks by preparing for the worst and hoping for the best. He, along with his colleague, Gretchen Brummel, PharmD, consulting solutions director, pharmacy solutions, are working to help hospital pharmacies manage and mitigate these attacks through both proactive planning and reactive solutions.
"Healthcare organizations need to ask themselves how prepared they are for this type of interruption," said Brummel. "They need to determine if they have an up-to-date plan, ascertain if plan documents and forms are easily accessible both on and off network in the event of a network loss and ensure staff is properly trained and proficient in the use of downtime tools and procedures."
Preparing for a cyber intrusion
Thoughtful planning and mitigation strategies can serve to strengthen readiness, resilience and effective response and recovery in the instance of an attack. And it all starts with identifying system vulnerabilities.
Gerwitz and Brummel suggest creating a list of operational, clinical and administrative software applications used in the delivery of patient care, including, but not limited to:
- Operational: carousel, ADC, IV room compounding, EHR, RFID, temperature monitoring, repackaging, inventory management, compounding logs, assessment of risk documents, diversion mitigation, electronic room access.
- Ensuring there's a plan in place for these systems helps the hospital or clinic run as smoothly as possible during a cyberattack.
- Clinical: patient monitoring, laboratory data, patient selection/identification, profile management, high-risk medication management, antimicrobial stewardship, PN ordering, order sets, protocols, drug information, hand-off communication, intervention documentation, REMS programs, medication error/ADE reporting.
- Ensuring there's a plan in place for these systems helps safeguard patient care in hospitals and clinics.
- Administrative: staffing schedule, policies and procedures, payroll system, training & education, staff on-boarding, communications, 340B split billing.
- Ensuring there's a plan in place for these systems will help hospitals and clinics uphold HR and budgeting policies and needs during a cyberattack.
They then recommend setting up contingency plans through evaluating current practices and creating and establishing new processes and strategies based on the assessment. Some strategies for doing so include:
Evaluate/Assess:
- contingency plan for each software application and create a paper backup system, because once this system is down, it may not be easy to bring it back up again
- high-risk medications needed for patient-specific dispensing from pharmacy
- the purchase of a standalone PC or laptop and local access printer that's not connected to the network to ensure printing and access to backup systems and processes
- surge in need for paper prescription pads during downtime and include a plan for replenishment
Establish:
- departmental downtime manual to provide guidance for in-the-moment response
- communication strategy to notify staff, internal and external customers abreast of the situation as appropriate
- time sheets or similar strategies to document staff hours worked to ensure staff are paid and for efficient balancing of the budget
- post-event evaluation processes to evaluate and address identified gaps and lessons learned
Develop:
- strategies to ensure compliance with REMS programs and backup communication systems to be compliant with HIPAA
- alternative staffing models to meet patient care needs while safeguarding staff resiliency
- plan for internal ordering to ensure products are ordered and received efficiently
- process for communicating admission, discharge and transfer of patients so patient locations can be tracked efficiently
- list of key vendors and contact numbers
Download the complete Vizient Pharmacy Intrusion Toolkit for a complete checklist of strategies.
"It really does come down to preparation. It's not a matter of if anymore, but rather when a cyberattack will happen,'" said Gerwitz. "We need to look at how we prepare by planning for an attack, which includes training and maintaining downtime competency of the staff."
Additional tools the Vizient team developed to help healthcare systems prepare for and respond to a cyberattack include tips and strategies via Vizient Blog posts and the Verified Rx podcast. In cases where systems are down due to cyberattacks or other events, Gerwitz and Brummel can help provide customizable tools to help healthcare organizations continue patient care.