CIOs have five key responsibilities upon learning their hospital or health system is experiencing a data breach, according to Patty Lavely, interim CIO and principal consultant for CIO Consulting and former senior vice president and CIO of Gwinnett Medical Center in Lawrenceville, Ga.
At the Becker's Hospital Review Health IT + Revenue Cycle Conference in Chicago, Ms. Lavely delivered a presentation titled "'Medical Center investigating a possible data breach!' - A CIO's perspective on the other side of the headlines."
Ms. Lavely outlined her experience as a senior vice president and CIO of Gwinnett Medical Center when the hospital experienced a data breach. She received a call on her way to work informing her that documents were coming out of several hospital printers with the words “We own you” and a list of patient names. The incident response included the legal, risk, compliance and technology departments. They contacted outside legal counsel and IT forensic consultants.
"When you get the phone call that the network is down, it's like a kick in the gut," Ms. Lavely said. "It sort of took my breath away when I realized we had a problem."
During a time of crisis, she said, the CIO's role includes the following responsibilities:
- Determine immediate risk to system stability
- Provide leadership to security incident command
- Work with legal, compliance and PR on messaging
- Communicate to senior leadership
- Lead the IT staff supporting the forensic investigation
The event took place over three weeks, beginning Sept. 27, 2018, when the wireless phone system at one hospital went down and the threatening documents began printing. The health system then had a denial of service attack on a conference room scheduling app, an anonymous call to HHS reporting the breach and an unsuccessful attack on the email system. The FBI arrived at the hospital following the HHS report.
The threat actor also contacted a security publication to report the data breach and described what they were doing to the hospital. The threat actor also posted on Twitter several patient names and other updates about what was happening.
The hospital had the forensic investigation, which occurred over a three month period to help the hospital understand where the compromises occurred and how much PHI was breached. They then investigated requests from the FBI.
"It became obvious after looking at all the information, [the threat actor] was trying to reach us. I don't know what they would have done if we tried to communicate with them," she said. The threat actor focused on known vulnerabilities, specifically medical devices.
Ms. Lavely outlined the hospital's lessons learned:
- Practice, practice, practice for security incidents
- Biomedical devices are a vulnerability
- Physical security should be part of the governance of the cybersecurity plan
- CIOs must participate in the cybersecurity program
- Board leadership needs to understand the organizational risk
"A real incident is always much different than practice. That goes for any disaster. With all the scenarios you come up with, you can't mimic a real incident, but you can prepare," she said. "I'm very proud of the response of the organization and my team, and I look forward to being able to share part two of this when the FBI finishes their investigation," she added.