Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm
*Editor’s note: This is the final part of the Cybersecurity series.
Imagine this near-worst-case scenario: Your organization was the victim of a cyberattack. In my last blog, I discussed what steps you should take during the attack, including the top four questions you should ask yourself to minimize downtime and damage. Now, the attack is over and it’s time to rebuild. What should your next steps be?
First and foremost, your forensic partner needs to give you the “all clear.” Once they’ve determined that there’s no evidence of a threat actor operating in your network and you’ve closed the point of entry, you can begin restoration. Remember that it’s always better to build new systems instead of trying to clean infected ones whenever possible. Hackers are constantly finding new ways to burrow into systems—don’t assume that you’ll always be able to remove all traces of infection.
As you rebuild, have a priority order for system restoration. I recommend the following:
It’s also crucial that you know which organizations need to be notified of the attack, at both state and federal levels. This can change depending on what was targeted during the attack. For example, an attack that only affected your email system may have fewer notification requirements compared to an attack that targets clinical databases. Always consult with your legal team to understand your notice requirements within your specific fact pattern.
Throughout the restoration process, make sure you preserve key artifacts, such as communications, decision points and reports that were made during the event. Don’t forget to collect artifacts from any non-standard systems. For example, if your email went down and you switched to a personal email during the attack, be sure to preserve those logs, too. You can refer back to this information later in case of litigation or a regulatory investigation.
After you’ve rebuilt, tested and validated the performance of the entire system (including hardware, software, clinical applications, interfaces and configuration), it’s time to revisit your preventative measures and ensure you’re prepared for the future. The Office of the National Coordinator for Health Information Technology (ONC) has issued a series known as the Safety Assurance Factors for EHR Resilience (SAFER) guides. This is a great resource for organizations that want to tackle EHR safety from a variety of angles. The guides contain self-assessments and are categorized into three broad groups:
Using the SAFER guides, organizations can better prepare themselves and mitigate against the risk of future downtime events.
While this concludes this specific series on how your organization can prepare for and protect against cyberattacks, I will continue working closely across our organization and with other industry experts to bring forth new and innovative best practices to help ensure our patients, and their data, remain safe from cyberattacks.