A Guide for Responding to Extended IT Outages in HealthcareHSCC Task Force Members Describe New Cyber Response Resource
New industry guidance provides a detailed road map to help healthcare sector entities respond to and recover from cyberattacks involving extended IT outages, say Lisa Bisterfeldt and Kirsten Nunez, who are members of the Health Sector Coordinating Council task force that developed the resource.
The HSCC Operational Continuity-Cyber Incident checklist offers a framework for what operational staff, clinical leaders and executive management need to do, especially in the initial 12 hours of responding to a ransomware attack or other cyber incident that results in long, enterprisewide IT outages, says Bisterfeldt, who is cybersecurity program manager of St. Luke's Health System.
The framework aims to help each of the individuals charged with a response role to collaborate with the others, bringing different pieces of information to the table, she says. "For instance, trying to help understand the level of encryption or the size and scope of the cyberattack but also, on the other side, being able to have hospital leaders help communicate the impact that we're seeing at the [patient] bedside," she says in an interview with Information Security Media Group.
"It allows for this collaboration so that our hospital and IT partners - IT and cybersecurity - are responding together in partnership," she says. "It's about bridging that gap between an IT cybersecurity incident response [and] also the continuity pieces that need to fall into place in order for the health systems to be able to support patient care for an extended outage."
Because cybersecurity incidents resulting in extended IT outages "are low-frequency, high-risk events, we often default into what is most comfortable, or muscle memory, and we might not always consider the aspects of response that are needed in that specific threat or scenario," says Nunez, who is senior operations manager for emergency management and continuity at Intermountain Healthcare.
The checklist provides a resource for the various mission-critical tasks, goals and objectives that should be top of mind in a unified response approach to an outage that could disrupt the delivery of patient services in all types and sizes of entities, including small rural hospitals, critical access hospitals, trauma centers and large integrated health systems, Nunez says in the same interview with ISMG.
"This is meant to help maintain continuity of health services," she says.
In the interview (see audio link below photo), Bisterfeldt and Nunez also discuss:
- Lessons emerging from IT outages in healthcare environments;
- The roles that external third parties, such as law enforcement and forensics experts, often play in cyber incidents involving IT outages;
- Other details about the guidance.
Bisterfeldt manages the cyber resilience program for St. Luke's Health System, based in Boise, Idaho. The nonprofit healthcare system is comprised of nine hospitals and more than 200 clinics serving communities across southwest Idaho. Its cyber resiliency program includes components of incident response, business continuity and disaster recovery. Prior to transitioning into cybersecurity, Bisterfeldt spent eight years working in emergency management in the healthcare and government sectors.
Nunez is senior operations manager for emergency management and continuity at Intermountain Healthcare, a health system serving Idaho, Utah and Nevada. She has more than 17 years of experience in healthcare operations and joined Intermountain Healthcare's emergency management team in 2017, coordinating preparedness efforts across seven hospitals, including Intermountain Healthcare’s adult level 1 trauma center. Nunez was the 2021 chair for the Utah Hospital Association's Disaster Advisory Council.