CHICAGO – It's the most valuable data on the dark web, and with 76% of healthcare organizations paying the ransoms, "we're funding the attacks ourselves," said Nate Lesser, Children's National Hospital's vice president and CISO.

Ransomware is the chief concern keeping hospital and healthcare cybersecurity officers up at night, Lesser said at the 2023 HIMSS Global Health Conference & Exhibition here on Wednesday. 

While budgets and reimbursements are down and payroll is up, there's not enough information security talent to go around even if the money were there, he said.

To complicate matters further, artificial intelligence "is improving attackers' ability to launch highly sophisticated social engineering phishing attacks." 

Considering that the average healthcare data breach lifecycle is 329 days and compromises the ability to deliver patient care, it's clear that cybersecurity must be "a team sport," said Lesser.

He advised conference attendees to work within their organization's existing incident response mechanisms to create and practice a cyber incident protocol that involves all employees – from facilities staff to surgeons.

At Children's, all the hospital's employees are considered "force multipliers" – they know they have to act quickly to reduce "the blast radius" when a "code dark" is called.

Lesser said he was fortunate that an emergency response framework was already well-built at the hospital.

"It's all about folding it into things that are already working."

He said the hospital chose "code dark" to trigger full-scale cyberattack response because employees are trained to respond to codes. To help contain the attack and improve the speed of recovery after a cyberattack, employees are asked take the following steps:

• Disconnect workstations and internet-connected devices.
• Await instructions from the IT department before reconnecting computers.
• Report to managers for specific downtime actions.
• Know and follow emergency policies and procedures.

Hospital cyberattacks call for all hands on deck

Lesser added that in launching an organization-wide cyber response protocol, it's critical to get executive leadership support and to partner with device owners, like radiology departments. 

But "code dark" won't work unless employees exercise the steps, develop department policies, have downtime procedures in place, exercise more, train on downtime procedures and exercise all the steps again.

It seems simple, but "none of this makes any kind of difference if you don't put it in writing, if you don't train your staff, if you don't exercise," he said.

Exercise is so critical to operationalizing "code dark," because employees need to learn how to recalibrate for downtown procedures. 

They can't print downtime sheets when printers are offline or access controlled medication if they don't know where the key is to switch the automated medication dispensing system to downtime mode, he said. Exercise can prevent employees from feeling confounded if an attack were to initiate the procedure.

To present cyber response protocols to individual teams and departments throughout the organization, "go to meetings that are already happening," Lesser said. 

He noted that calling and timing a "code dark" is a "fine line" the hospital is still trying to figure out. 

Also, "with a highly sophisticated ransomware attack that is compromising the main controllers and moving really quickly across the network, I'm not sure we'll be able to call it in time," he said. 

"But I am sure that by having this conversation with your staff, you are automatically improving your chances."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.