For healthcare, cyber attacks can have ramifications beyond financial loss and breach of privacy; a cyber attack can bring the delivery of patient care to a halt. To support the continuity of patient care during and after a cyber incident, this CHIEF Executive Forum resource provides high-level strategic suggestions and trustworthy sources for further information and available tools.
Healthcare delivery organizations can use this to guide them through three key stages of a cyber incident:
Prepare.
- Implement departmental awareness of all patient safety legislation requirements
- Ensure key clinical offerings/patient care can be delivered with no technology available
- Test both the patient care and incident response plans by practicing worst case scenario drills i.e., there is no IT available, and the crisis must be managed while delivering care & rebuilding technology
- Create an incident response plan specific to cyber risk.
- Have the right resources, competencies, and relationships in place with clearly defined incident management roles and responsibilities
- Establish a relationship with the security community and the Canadian Centre for Cyber Security (Cyber Centre)
- Prepare a complete list of stakeholders with legal, communications, forensics, and insurance resources (not just IT)
- Ensure vendors are following your organization’s cybersecurity requirements. The Cyber Centre offers guidance on supply chain security at the following two links:
- Perform an annual external audit
- Have defined accountabilities
- Put into place robust metrics, KPIs, and leading indicators
- Create an annual IT risk forecast with an appropriate baseline to measure against
- Put in place security controls (Top 10 security actions, Top Security Enhancement Measures for SMO) similar to financial controls including the review of unsecured third party partners
- Endorse a cybersecurity policy tied to the organizational goal of caring for patients and employee well being
- Institute cybersecurity awareness training for all employees and leverage existing Government of Canada training and awareness products
- Balance organizational cybersecurity activities between prevention and response
- Give staff the tools required to: recognize a security incident; understand the obligation to report; and feel comfortable and safe following the reporting procedure.
- Make sure your organization has appropriate cyber hygiene by following the cyber hygiene checklist.
Respond.
Teams from cyber incident response and recovery, IT incident management, IT disaster recovery, clinical and non-clinical operations, crisis management, and front-line delivery of patient care must work together.
- Follow tested patient care continuity and cyber incident response plans. The Canadian Centre for Cyber Security (Cyber Centre) offers several planning resources:
- Manage the incident from your pre-established emergency operations centre (EOC)
- Document the incident
- Pre-identify decision makers with the authority to shut down critical systems to prevent further damage
- Communicate clearly with both internal and external stakeholders
- Communicate with the regional security operations center (SOC) if available
- Set up one communications team for managing the incident and a separate one for updating necessary parties about the incident, including sharing appropriate information with the broader community
Collect data to feed into pre-determined metrics* to improve recovery and inform continuous improvement. Recovery metrics can improve specific recovery aspects or contribute to a cost/benefit analysis of a particular approach. Other metrics might be used for compulsory reporting (in response to an inquiry from an external authority) or information sharing.
*Metrics including but not limited to:
- Maximum tolerable downtime (MTD) The total length of time that a process can be unavailable without causing significant harm to your business.
- Recovery point objective (RPO) The measurement of data loss that is tolerable to your organization.
- Recovery time objective (RTO) The planned time and level of service needed to meet the operational expectations.
Report the incident to the the Cyber Centre. Canadian critical infrastructure partners can ask the Cyber Centre for help during a cyber incident. During the containment and eradication phases of an incident, the Cyber Centre Incident Handling team can provide:
- Advice and guidance
- Mitigation and containment
- Digital forensics and artefact analysis
- Malware analysis
- Tactical threat intelligence
- Malicious content takedowns
Recover.
- Protecting data assets and ensuring threat actor is no longer on the network
- Investigating, collecting, and preserving evidence
- Root cause and post-incident report analysis
- Addressing jurisdictional privacy rules and regulations and actions that might be required
- Sharing learnings with peer organizations (local, regional, national)
- Restoring reputational damage
The Canadian Centre for Cyber Security offers two resources for cybersecurity recovery plans:
- Know who you will need to contact before an event occurs
- Establish working relationships with vendors, the security community, and the Cyber Centre
- Ensure supply chain integrity.
The Canadian Centre for Cyber Security offers three resources for ensuring supply chain integrity
- Operationalize clinical care without digital technology Business Continuity Planning (BCP)
- Perform tabletop exercises that simulate continuing operations while dealing with an incident and how to return to operational capacity
In Canada, the estimated average cost of a data breach (a compromise that includes but is not limited to ransomware) is $6.35M CAD.
In 2021, the global average total cost of recovery from a ransomware incident (the cost of paying the ransom and/or remediating the compromised network) has more than doubled, increasing from $970,722 CAD to $2.3M CAD.
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
- What types of training programs could the organization implement to ensure all staff members are better prepared?
Code Grey – Where Security Practices Meet Patient Care provides strategic suggestions your organization can implement to improve cyber security resilience.
For more tools and guidance, please refer to the Canadian Centre for Cyber Security website or email them at health-par-sante@cyber.gc.ca
This resource is the first from Digital Health Canada’s CHIEF Executive Forum Cyber Security Working Group, which aims to raise the bar of cyber security in Canadian healthcare organizations and develop a national framework and enhanced guidelines that emphasize people, process, partnerships, and technology working hand in hand. Visit our website for more information about the CHIEF Executive Forum Cyber Security Working Group. Download a PDF copy of this resource at the link below.