Cybersecurity: Rebuilding after an attack
Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm
*Editor’s note: This is the final part of the Cybersecurity series.
Imagine this near-worst-case scenario: Your organization was the victim of a cyberattack. In my last blog, I discussed what steps you should take during the attack, including the top four questions you should ask yourself to minimize downtime and damage. Now, the attack is over and it’s time to rebuild. What should your next steps be?
First and foremost, your forensic partner needs to give you the “all clear.” Once they’ve determined that there’s no evidence of a threat actor operating in your network and you’ve closed the point of entry, you can begin restoration. Remember that it’s always better to build new systems instead of trying to clean infected ones whenever possible. Hackers are constantly finding new ways to burrow into systems—don’t assume that you’ll always be able to remove all traces of infection.
As you rebuild, have a priority order for system restoration. I recommend the following:
- Clinical – This comes first because patient care and patient safety remain paramount.
- Financial – The goal of cyberattacks is often from a financial perspective, so ensuring you’re rebuilding and fortifying your financial foundation is critical.
- Reporting – Once the clinical and financial systems are back online, the focus can turn to administrative reporting systems (e.g., MIPS) to round out the restoration process.
It’s also crucial that you know which organizations need to be notified of the attack, at both state and federal levels. This can change depending on what was targeted during the attack. For example, an attack that only affected your email system may have fewer notification requirements compared to an attack that targets clinical databases. Always consult with your legal team to understand your notice requirements within your specific fact pattern.
Throughout the restoration process, make sure you preserve key artifacts, such as communications, decision points and reports that were made during the event. Don’t forget to collect artifacts from any non-standard systems. For example, if your email went down and you switched to a personal email during the attack, be sure to preserve those logs, too. You can refer back to this information later in case of litigation or a regulatory investigation.
After you’ve rebuilt, tested and validated the performance of the entire system (including hardware, software, clinical applications, interfaces and configuration), it’s time to revisit your preventative measures and ensure you’re prepared for the future. The Office of the National Coordinator for Health Information Technology (ONC) has issued a series known as the Safety Assurance Factors for EHR Resilience (SAFER) guides. This is a great resource for organizations that want to tackle EHR safety from a variety of angles. The guides contain self-assessments and are categorized into three broad groups:
- Foundational Guides – Your organization should start here, then branch out into your main areas of concern. These guides discuss high-priority practices and organizational responsibilities.
- Infrastructure Guides – Focuses on contingency planning, system configuration and system interfaces.
- Clinical Process Guides – These provide recommendations for patient identification, computerized order entry, test results and reporting, and clinician communication.
Using the SAFER guides, organizations can better prepare themselves and mitigate against the risk of future downtime events.
While this concludes this specific series on how your organization can prepare for and protect against cyberattacks, I will continue working closely across our organization and with other industry experts to bring forth new and innovative best practices to help ensure our patients, and their data, remain safe from cyberattacks.