Are hospitals and health systems truly prepared for cybersecurity attacks?
The Feb. 21 cyberattack on Change Healthcare along with the increase of cybersecurity and ransomware groups targeting the healthcare industry has raised concerns about hospital and health system security, especially their downtime procedures when technology and critical systems get knocked offline.
"I think what we've certainly learned over the last 90 days is that technology is great, and we should use it and promote its use. But the more we embed ourselves in the technology, the less prepared we are when that technology doesn't work," Zafar Chaudry, MD, senior vice president and chief digital and information officer at Seattle Children's, told Becker's.
Per the American Hospital Association, numerous healthcare facilities have contingency plans in place to sustain operations without relying on technology for up to 72 hours, and in some cases, as long as 96 hours. But cybersecurity experts told NBC Washington in a Feb. 8 article that this isn't enough.
Experts suggest that hospitals should create plans to keep running smoothly even if all their technology is down for at least 30 days. But hospitals aren't close to being able to implement those plans, according to John Riggi, the cybersecurity and risk national adviser for the American Hospital Association.
This comes as the HHS stated that cyber incidents on hospitals and health systems have led to "extended care disruptions, patient diversions to other facilities and delayed medical procedures, all putting patient safety at risk."
"We've had many recent cyberattacks in healthcare. And what I've learned is that we're not ready for business continuity or disaster recovery," Dr. Chaudry said. "What is interesting to me is the better we get at using this technology, the further away we get from what would happen if we didn't have it."
In 2023, health systems experienced 46 ransomware attacks, up from 25 in 2022 and 27 in 2021, according to a report from cybersecurity firm Emsisoft. Ransomware was even listed as one of the biggest safety concerns in health technology for 2024 by nonprofit patient safety organization ECRI.