The Joint Commission says hospitals and health systems should prepare to be on downtime for at least a month following a cyberattack, The Wall Street Journal reported.
The healthcare accreditation agency recently released guidelines it says hospitals should follow in the event of an IT security event. Critical systems often take three to four weeks to restore, while noncritical ones take longer, John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, told the newspaper for the Aug. 25 story. "We just can't stop taking patients in while the remediation happens," he said.
Prospect Medical Holdings, a 16-hospital system based in Culver City, Calif., is still recovering from a ransomware attack it experienced Aug. 3. "We are making significant progress. Some operational systems have been fully restored and we are in the process of bringing others online," the health system told Becker's on Aug. 25.
Phishing — and "smishing" — are the most common causes of hospital data breaches. "If only a few staff respond to a phishing attack, the consequences can be devastating," David Baker, executive vice president for healthcare quality evaluation and improvement at the Joint Commission, told the Journal. He acknowledged that implementing the Joint Commission's cybersecurity recommendations will require "significant effort and expense."