Cybersecurity resilience takes center stage at CHIME Fall Forum 2024

This year's CHIME Fall Forum speakers and attendees were laser-focused on cybersecurity resilience, especially attack response and recovery.

By admin

Nov 20, 2024, 1:33 PM

In healthcare, the stakes of cybersecurity are uniquely high. A single breach can disrupt patient care, paralyze operations, and compromise sensitive data on an unprecedented scale. This reality became starkly clear in February 2024, when the ransomware attack on Change Healthcare sent ripples across the industry. Even organizations unaffected by the breach felt the pressure to reevaluate their cyber defenses, response plans, and vendor relationships.

At the CHIME24 Fall Forum, healthcare leaders dissected the lessons learned from recent high-profile incidents like the Change Healthcare breach. From panel discussions to hands-on workshops, the event emphasized a unified theme: cybersecurity resilience. With downtime procedures, supply chain risk, and recovery plans under the microscope, attendees walked away with actionable strategies to fortify their organizations against an increasingly complex threat landscape.

Change Healthcare breach spurs sector-wide reflection

The February 2024 ransomware attack on Change Healthcare sent shock waves throughout the healthcare sector. While an informal raise of hands in one CHIME Fall Forum session found around 40-50% of organizations had experienced a cyber event in the last year, the Change Healthcare breach has sparked a new focus on several critical cybersecurity resilience factors, including supply chain risk and downtime procedures and recovery.

The aftermath of the Change Healthcare breach revealed some startling statistics. An American Medical Association survey found that 80% of clinicians lost revenue during the breach, 77% experienced service disruptions. Serious supply chain disruptions were exacerbated by cash flow challenges, delaying or preventing supplies from being purchased.

Many attendee’s organizations have had to grapple with the downtime and patient care disruptions (for example, inability to process pre-authorizations) during the Change Healthcare breach event. Attendees at CHIME24 were clearly engaged and eager to learn from panelists who covered cybersecurity resilience, including cyber event practice sessions known as “tabletop exercises.”

Lessons learned from recovery and restoration

Two panelists participating in “Cyberattack Recovery: The Good, the Bad and the Hardening” reported that a recent downtime event had revealed many lessons learned on cyber event response and the long recovery process.

Lonnie Garrison, Chief Technology Officer at Ardent Health Services, shared that “when it comes to incident response and recovery, it is people, process and technology — and the technology is the least important.”

He also stressed that organizations will necessarily have to lean on their third-party vendors and suppliers. “The term ‘people’ includes your third parties,” he said. “These fall into two buckets: vendors and partners. It is important to know — and you will soon find out — who your partners are; they will jump ‘all in’ with support.”

From an incident response and process perspective, organizations have learned that the first thing that may happen is that systems may be shut down and parts of the organization will be disconnected from the internet.

CHIME Fall Forum Elite Session - Cybersecurity — Ardent Health’s Anika Gardenhire, RN, CHCIO, Chief Digital and Information Officer, and Lonnie Garrison, Chief Technology Officer, speak to CHIME Fall Forum attendees.

Anika Gardenhire, RN, CHCIO, Chief Digital and Information Officer at Ardent Health, advised that full recovery and restoration may take months. During that time, operations will look entirely different.

For instance, her organization took an “all-hands-on deck” approach to recovery. IT staff were formed into various teams and work groups, which meant diverting from their normal work assignments and focusing on recovery tasks. Other staff were working on teams assigned to problem solve logistical and process challenges, including converting to paper, creating forms that mimicked computer-based processes, and buying supplies such as toner and printer paper (and doing it without internet access). Finally, communication and coordination were accomplished by using in-house tools such as Microsoft 365 Teams, calendar, OneNote, internal filesharing, etc.

In terms of restoration of applications, Garrison emphasized the importance of a robust application inventory. “If you don’t have one, you will be building it on the fly during the incident,” he said, adding that a prioritized list prevents internal lobbying and ensures efficient recovery.

Another important initiative that evolved as an outcome of the Ardent Health incident was a move to implement Application Portfolio Management with ServiceNow as a source of truth.

Finally, Gardenhire noted, “Once you begin to bring applications back online and move towards normal operations, you will need to convince your partners to reconnect with you. You will need a “Clean Bill of Health” letter as soon as possible. It’s important to determine who can write it and attest to it. If you don’t have a plan for this, it can be your long tail in your recovery.”

These recovery stories underscored the value of preparation, a theme reinforced by tabletop exercises.

Recipe for resilience: Practice, practice, practice

Many organizations are beginning to execute “tabletop exercises,” which are practice sessions with planned simulations of a cyber incident. This is initially done as a paper exercise, sort of like reading lines from a play, but can progress to a “live fire exercise” with various degrees of electronic event simulation.

Panelists from an Executive Cybersecurity Workshop, “How to Keep Your Tabletop from Warping,” advised that executing tabletop exercise can help refine your list of prioritized systems/workflows and better understand who needs to be involved and who makes decisions at what point in the response. They explained that tabletop exercises involve planning, defining scope and objectives, developing realistic attack scenarios, and writing an execution script.

Planning includes determining which systems, processes and workflows will be involved in the exercise as well as who are the right people — not just managers, but the staff who actually execute the processes or workflows.

Cybersecurity Tabletop session at Fall Forum 2024 — David Finn from First Health Advisory, Brian McCormack from Intermountain health, and Theresa Meadows from Cook Children’s engage the audience on cyber tabletops.

Scoping the scenario(s) for the exercise means making sure that they are relevant and realistic. Objectives need to be defined to ensure that lessons learned are valuable, well documented and identify any holes in processes, additional data, information or training that is needed and that everyone understands that the goal is to find and fix problems in a safe, blame-proof environment.

Aside from cyber and IT staff, others who should be involved include executives, lawyers, cyber insurers, communications and public relations staff. Decision points should be identified such as the decision to pay or not pay a ransom. With cyber insurers it is important to note that they may have resources to bring to bear such as playbook ideas, as well as incident response and forensics teams that may be provided as a benefit of their cyber insurance policy.

One final intriguing point made during the forum is that certain tools and even AI may be deployed in the organization to help with operational processes, but staff need to know how to execute those processes manually when a switchover is needed due to a cyber event.

For example, AI may help radiologists read images, but the radiologists will need to read manually in a cyber shutdown scenario. And AI-based solutions such as ambient listening tools may be used to generate encounter notes, but notes will need to be made manually during such an event. These switchovers should be practiced for all processes and workflows, ideally often, not just during a tabletop exercise.

After the exercise has concluded, lessons learned are gathered processes and procedures are updated, along with planning for the future. Final advice included that keeping staff engaged while diverted from their normal work can be a challenge. A take home message was to make cybersecurity resilience fun by trying gamification or other tactics — and showing appreciation in any way possible.

Keeping pace and boosting cyber resilience

Healthcare faces an accelerating wave of cyber threats, leaving many organizations struggling to keep pace, especially as emerging healthcare technology complicates security.

Attackers are always looking for new attack vectors. With “ambient listening” providers are putting AI listening devices in patient encounters. These tools reduce clinician burden but can expose sensitive data if not properly secured, making them prime targets for attackers.

The CHIME Fall Forum presentations and discussions made it clear that cybersecurity resilience is no longer an option, but a necessity for healthcare organizations. In the face of ever-evolving threats, leaders must take proactive steps to fortify their defenses and protect their critical assets. This includes conducting regular tabletop exercises, reassessing vendor relationships, and investing in employee training and awareness.

Cybersecurity resilience isn’t just a defensive strategy — it’s a critical investment in healthcare’s future. By acting decisively, organizations can protect their patients, operations, and the trust they work so hard to build.