More than 51.9 million patient records were exposed in over 700 data breaches in 2022, according to Health and Human Services data. The imperative of protecting patient data is already here and getting more critical for health delivery organizations (HDOs) with each passing year.
Accreditation organizations such as The Joint Commission (TJC) have a role to play in this imperative as well. They enforce the security recommendations of standards-setting organizations like the Centers for Medicaid and Medicare Services (CMS), which HDOs then follow to get their deemed status — necessary for payer reimbursements.
The Joint Commission accredits and certifies more than 22,000 healthcare organizations and programs in the United States, including hospitals and healthcare organizations that provide ambulatory and office-based surgery, behavioral health, home health care, laboratory, and nursing care center services. An independent, not-for-profit organization, The Joint Commission is the oldest and largest standards-setting and accrediting body in healthcare.
As part of that role, The Joint Commission recently released new recommendations on preparing for a cyberattack. In Sentinel Alert 67, TJC referenced several Emergency Management (EM) standards as part of its recommendations. The standards include EM.11.01.01, which requires HDOs to conduct a hazard vulnerability analysis (HVA) that includes human-caused hazards such as cyberattacks. Prioritizing cyberattacks as part of this HVA is a key starting point for HDOs to identify and implement mitigations and preparedness activities to cut down on the disruption of services and functions to ensure patient safety.
Guidance from TJC also relied on EM.13.01.01 related to continuity of operations, EM.14.01.01 tied to disaster recovery, and the emergency management education and training program as outlined in EM.15.01.01. The commission’s recommendations relate to those standards and are tied directly to responding to a cyberattack.
Core Joint Commission Recommendations
The Joint Commission’s recommendations are designed to ensure that the HDO can prepare to operate during a cyber emergency. Starting with the HVA recommendations of EM.11.01.01, HDOs should evaluate the cyber-related findings and prioritize what needs to be kept running in the event of an attack. This can be any number of systems across the HDO, but the core need is understanding what can and should remain operational.
TJC recommends a downtime planning committee as part of the Sentinel Alert. HDOs already have an incident command center and emergency preparedness for regulatory compliance. The downtime planning committee recommended in the Sentinel Alert could easily be integrated into that workflow.
In addition to the vulnerability analysis and forming a planning committee, HDOs should:
- Develop downtime plans, procedures, and resources – The Joint Commission recommends that HDOs develop and regularly update plans and procedures designed to be followed during downtimes. This includes when to declare downtime, when to shut down electronics, and under what situations should elective procedures be limited or canceled. The plans need to be consistent with the HDO’s overall emergency operations plan.
- Designate response teams – As part of response planning, HDOs need to designate an interdisciplinary team that mobilizes during unanticipated downtime events. Members should come from similar backgrounds as the planning committee. This team should be the group designated to evaluate whether to push the HDO into full downtime or not.
- Train team leaders, teams, and all staff on how to operate during downtimes – Training should occur at regular intervals so teams know how and when to follow downtime procedures, as well as which kinds of incidents would cause a downtime event. This includes regular drills at onboarding and on a consistent basis to the point where all staff understand how to act during such an event.
- Establish situational awareness with effective communication throughout the organization and with patients and families – TJC recommends decisive action in the event of a cyberattack. HDOs need to clearly communicate which systems are affected and which ones are not. These should include the clinical ramifications as well as nonclinical ones to make sure that everyone understands the full context of an active cyberattack. Obscuring the truth only makes it harder to respond.
- After an attack, regroup, evaluate, and make necessary improvements – This final recommendation involves forensic analysis following an incident. As part of recovery, HDOs need to adapt systems to the needs and requirements revealed in the attack. This is a key component of any good incident response strategy.
These recommendations help with ensuring HDOs plan a sustainable procedure and workflow to manage downtime of critical patient-facing systems and devices in the event of a cyberattack such as ransomware. A truly robust security program would go above and beyond these recommendations.
How Asimily Enables the Joint Commission’s Recommendations
The Joint Commission’s recommendations imply a combination of people, processes, and technology designed to ensure the long-term security and operational health of HDOs. Core components of long-term operational security are technologies that allow for risk-based software vulnerability prioritization as well as flexible incident response in the event of a security incident.
Recommendation: Evaluate HVA findings and prioritize
The Asimily platform is designed to shed light on security vulnerabilities in its customers’ internet-connected assets – especially connected medical devices – and allow information security teams to adopt a risk-based approach.
Recommendation: Develop downtime plans, procedures, and resources
Asimily’s Incident Response module empowers HDOs to plan for mitigation and recovery as part of their preparations for downtime and learning following the implementation of the plan.
Recommendation: Train team leaders, teams, and all staff on how to operate during downtimes
Asimily’s utilization data shows helps all staff, not just IT, prepare for a potential cyber attack. Several Asimily customers use utilization rates and cyber risk information to craft continuity plans for high revenue-generating and high patient-usage assets. Asimily further has a hyper-specialized capability to audit around cybersecurity and CMS/TJC requirements. There are no cookie-cutter templates involved in monitoring or data gathering, which is what allows Asimily to excel in this space.
Recommendation: After an attack, regroup, evaluate, and make necessary improvements
Asimily’s policy management and forensic analysis modules allow incident responders to evaluate and make recommendations for changes following a cyberattack.
Asimily also allows for building response out from a people and process perspective through plans, procedures, and workflows that align the grand designs on paper with the actual boots on the ground. Asimily has already done this for several clients, like Southcoast Health, ensuring that they have a strong strategy in place.
Lastly, Asimily enables HDOs to develop and ensure governance that unifies all relevant stakeholders and creates training and awareness to fulfill the recommendations of TJC. With this capability in place, HDOs can be more secure and more adaptable in the face of an uncertain attack landscape.