Why Cyber Fire Drills are an Imperative for Healthcare

Posted By Josh Ablett on Jul 17, 2024

Talk to anyone in healthcare about the concept of “cybersecurity,” and the conversation quickly turns to the prevention of cyberattacks. IT and cybersecurity people love to talk about firewalls, antivirus, and lots of other fancy technical measures that are supposed to stop the bad guys from getting in.

But here’s the problem – prevention clearly isn’t working. Every single company that has experienced a breach, whether it’s Change Healthcare or any of the many practices listed in the healthcare data breach statistics, has already invested significantly in all of these same prevention tools. And yet, they’re still being breached, often with massive financial penalties and a huge impact on their ability to operate.

Prevention vs. Response

In a medical setting, prevention is only part of the conversation that you have with patients. Much of the training that medical professionals receive is how to respond to emergency situations. You practice and practice, building muscle memory, because seconds count in an emergency.

It’s time for this same framework to be applied to cybersecurity. It’s no longer enough to keep adding more and more technology to each practice because the evidence has shown this to be both expensive and ineffective. Instead, healthcare needs to take much of the same discipline it applies to “practice makes perfect” and apply it to cybersecurity attacks.

But why should medical practices bother to practice? They pay for cybersecurity insurance, so shouldn’t that be enough to comfortably limit the impact of an attack?

“The worst six months of my life”

Ask anyone who has lived through a breach, and you’ll hear the same thing over and over — “that was the worst 3-6 months of my life.”

What most people don’t realize until they’ve lived through a breach is the incredible level of distraction that it places on your company and your team. Everything else you’re doing will need to be put on pause while you deal with the breach. Your IT people won’t have the bandwidth to focus on anything else. Your front-office staff will be flooded with calls from patients asking about the security of their healthcare records. And you’ll have to have the same painful conversation with patients over and over about what happened and why it happened.

Why are breaches such a distraction? After a breach, you’re going to be engaging high-end lawyers and IT experts who are going to go over everything with a fine-tooth comb. And along the way, they’re going to be asking you to make a million decisions that have no obvious answer, like:

• Should we pay the $1 million ransom?
• When should we involve attorneys, and which ones?
• What am I legally obligated to tell patients?
• Beyond my legal obligations, what is the right thing to do ethically?
• Who, specifically, is going to notify all our patients and vendors?
• Are there some patients who we should call instead of sending a boilerplate letter in the mail?
• Who is going to field the flood of questions from patients?
• Do we have the right experts assigned to help us through this?
• Should we engage the FBI, when, and will they help us?
• How much should we invest to make sure this can’t happen again?
• Is our IT team up to snuff if this could happen in the first place?

These are questions that you likely don’t have a lot of experience answering, which means you’ll be spending a staggering amount of time in meetings and being dragged away from patient care.

While these are just a few questions your leadership team will need to answer, there’s also an important role that every single employee plays in cyberattacks.

Reducing “Dwell Time”

There’s an important concept in cybersecurity called “dwell time.” In non-geek-speak, it simply means how long an attacker is in your systems before you find out about it.

In simple cases, hackers are usually in your systems for a little over a week before you find them (or they make themselves known). However, if they find something valuable while looking around, they could be in your systems for weeks or even months before you figure out something is wrong.

Just like with patients at the early stage of an illness, there is a direct correlation between how early you discover a problem vs. how damaging it is. The longer an attacker is in your systems, the more time they have to figure out sophisticated, highly-damaging attacks that could cripple you for weeks or steal significant sums of money.

To limit the damage, we need to do a better job of training our employees to recognize when something weird is happening, how quickly to act, and how to get in touch with the right people.

We’ve seen real breaches discovered in the strangest of ways:

• An employee gets an “out of office” reply for an email she doesn’t remember sending
• An employee notices that his Sent Items folder is mysteriously empty
• An employee gets a call from a patient, asking about a strange email and asking if it’s legitimate
• A compliance officer notices a weird spike in volume in the company’s email archiving system
• An employee notices her mouse moving in unexpected ways

All of these could be clues that an attack is underway. But they won’t mean a thing unless the employees know how to recognize them and what to do with that information.

And this is where most companies inadvertently fall short. They assume that their employees are well-trained to handle this because they check-the-box on annual HIPAA training. But when a real cyberattack happens, your employees will waste valuable days, weeks, and even months because they lack the knowledge of what to do, and how quickly to do it.

Muscle Memory

A couple of years ago, a close family member had a stroke (they’re fine now, don’t worry). I was with them in the ER, and I was so very thankful that the team had practiced what to do. As soon as the stroke code went out over the loudspeaker, a well-oiled team of nurses surrounded the patient, with each knowing exactly what to do and in what order.

As cyberattacks become more frequent, both cybersecurity people and leaders need to adopt a similar approach to attacks. It’s not enough to send people goofy videos and simple quizzes once a month and consider them “trained.” Instead, we need new approaches that teach people exactly what to do in the context of their jobs, how to do it, and who to notify.

This is where the concept of simulation is critically important. And, specifically, a new concept of a “cyber fire drill.”

Cyber Fire Drills

Cybersecurity simulation is nothing new. You’ve undoubtedly received phishing tests, in which fake phishing emails are sent to test who clicks, and cybersecurity professionals have been conducting exercises called “tabletop drills” for decades.

But phishing is not the only way that cyberattacks happen. What about everything else? And tabletops are great, but they take weeks to prep, hours to run, and end up being sparsely attended because they’re so time-consuming.

A cyber fire drill is a short, fun exercise that puts each person in a simulation of a real-world cybersecurity attack. They make sense for healthcare organizations because:

• They’re short and can be done in between patient care and other duties in just a few minutes.
• They’re stories based on real attacks, so they’re more engaging and realistic than typical cybersecurity or HIPAA training.
• They require zero effort to create, so they can be quickly sent to dozens or even hundreds of employees across your company.
• They combine training and testing via simulation. The results of the simulations provide valuable data to your company’s IT and leadership about where to spend limited cybersecurity resources.

Companies that do frequent, short simulations build the muscle memory they need to respond as elegantly to a cybersecurity attack as they respond to a code. Building this muscle memory may very well make the difference between an insignificant non-event and an embarrassing, distracting, painful data breach that distracts your team for months.