An important component of any cybersecurity plan is knowing what to do when cyberdisaster strikes. For ASCs, this means creating a disaster recovery continuity plan, which should be fluid and can be adjusted as needed.
The first step is to look at the kind of backups available to the organization, according to Nelson Gomes, CEO of PriorityOne Group. Different cyberattacks require varied recovery plans. For example, if the ASC’s server sustains a ransomware attack, then data that were backed up at a secure and separate location could help restore the server and, possibly, minimize the amount of time it is unavailable. But ASC leaders need to know exactly how this recovery will work and how much time it will take.
“It’s imperative that you test it and understand what the recovery time is for one system or for all your systems,” Gomes stresses. “Your organization needs to know what happens when the system goes down and what amount of time it will take before it comes back.” A lot is riding on this information, such as whether the surgery center has to postpone and reschedule patients. “If the system is down for four hours, then you’ll need to notate everything via paper, and there should be a plan around that,” Gomes says.
The last thing ASC leaders want when a cyberdisaster strikes is to wing it and figure out the logistics in the midst of the crisis. Install a disaster recovery continuity plan that details how the center will capture information during a cyberdisaster and what each staff member will be responsible for.
“Prepare for certain things as best you can, including how the cyberattack will affect your organization’s reputation,” Gomes says.
Transparency with patients is vital, but they need to be notified with useful information. Suppose a patient’s procedure is scheduled for 8 a.m. the morning after an attack shut down all electronic data, and no one anticipates servers coming back online until that afternoon. In this situation, ASC staff can tell the patient that there was a computer breach, that the center is handling everything on paper, and that they will need more time to prepare for the surgery, Gomes explains.
Also, an organization’s IT staff or contractors should be skilled and capable of fixing cybersecurity vulnerabilities. They should be able to assess a surgery center’s weak points and offer concrete guidance in fixing these. Ignoring potential cybersecurity weaknesses is risky.
“Sometimes, sticking your head in the sand is not a good thing, so educate yourself and be aware of what you need to do,” Gomes says.
Another continuity plan should involve the potential attack of monitoring devices. Hackers have targeted these devices to manipulate them in ransomware schemes. If a surgery center’s monitors are shut down in a cyberattack, the risk to patients is high. Crafting contingencies for this breach is important, too, Gomes notes.