IS Crisis Management: An Agile Response to Threats to Critical Healthcare Systems (By Philippe Tourron, CISO, Marseille Public University Hospital System)

Protecting patient data would seem to go without saying. Analysing risks and implementing defences to curb threats are standard actions today. However, threats evolve quickly, and one day, a crisis might hit. You might find that you no longer have access to your computers. « What’s going on? » you might ask. « Our data are encrypted? We’re experiencing a denial of service attack? Our directory was corrupted? But we had plenty of defences. How did this happen? Don’t you know where to begin? What’s more, we’re being asked for a ransom. Nobody can cut off our Internet connection, just like that! Aren’t our applications in the cloud? Who should we alert? Who can help us? »

What if you were prepared in advance? The list of events to anticipate is endless: ransomware attacks like Locky and Wannacry, supervisory control and data acquisition (SCADA) attacks, take-over of connected medical devices, etc.

Threats Are Agile

Their high-speed evolution has had an impact on the last three years, and the healthcare field has become an attractive target for cybercrime (ransomware, theft, etc.). Polymorphic, combined and successive threat scenarios prevail today. Often, one attack hides another, and attackers are networks of machines that are difficult to target as they themselves are victims of attacks having rendered them soldiers in a virtual army.

Crises Are Inevitable

The agility of threats is such that crises are inevitable. What exactly is a crisis, and what distinguishes it from an incident?

The healthcare field finds itself in the midst of crises in its mission to care for and help victims. Hospital organisations provide crucial emergency services in the event of natural disasters, accidents and crimes. Thus crisis management is an integral part of medical professions, and both reality and practice sessions test organisations and prepare them to respond to crises involving medical emergencies.

However, an ISS crisis may take various and unexpected forms (cyberattacks, natural disasters, maintenance errors, cutting of fibres during road works, etc.). A crisis is a combination of an emergency situation and an unstable environment that creates uncertainty as to when the situation will return to normal. Thus there is a need for specific governance to overcome the complication. Good crisis management seeks to prevent disorder in general (uncontrolled communication, lack of action or disjointed initiatives, panicked conflicts, etc.). To do this, it must offer a proportionate response to protect people and assets (data, software, hardware, etc.) and restore or maintain the services provided by the information system (IS) by limiting the consequences of the instability.

The Inescapable Link Between an ISS Crisis and a Healthcare Crisis

Today, an ISS crisis could also spark a healthcare crisis: how long can a healthcare system function without access to patient records or control of electrical or heating systems before moving patients to another facility? On the other hand, ISS crisis management provides support in a healthcare crisis. Considering the importance of the IS in patient management, today, it would be unrealistic not to anticipate the connections between the two. Thus, one must be able to simplify and adapt the IS following a massive influx of patients, so as not to slow down management of an absolute emergency. At the same time, it must be possible to continue to quickly identify patients and link them to their testing and examination results, monitor operations, and inform the patients’ relatives.

Strategy for Remaining Agile When Dealing with Threats

In healthcare, as in fire safety or emergency management, it is necessary to prepare for disasters, give instructions, establish reflexive responses, implement detection and compartmentalisation systems, and create teams with training and practice. In my opinion, crisis management is the first security measure to implement in the healthcare field, and must be deeply incorporated into practices with all IS players at the hospital around the chief information officer (CIO): healthcare players; data protection officers (DPOs); biomedical, technical, legal, quality and safety departments; etc. Crisis management involves assigning clear roles to optimise crisis resolution, communicating, alerting people and getting help quickly and effectively.

How to Prepare

According to Information Technology Infrastructure Library (ITIL) IS standards such as ISO 27001, crisis management is a means of continuity management. It requires the following:

• Identifying roles such as crisis manager, operations manager, head of communication, records administrator and head of logistics.
• Organising an alert with triggering criteria that everybody knows, as well as procedures to buy precious minutes for whatever happens next and detect weak signals. Knowing who to alert or ask for help and how.
• Organising resources including a suitable site and means (with fall-back sites)
• Automatic procedures and forms (for triggering, crisis directory, communication, etc.)
• Preparing responses to basic scenarios (data centre failure, network shutdown, CryptoLocker virus, etc.) and standard responses (Internet shutdown, restoration of backup data, network compartmentalisation, etc.)
• Practising alerting people, collecting and analysing information, making decisions, communicating, taking action, etc.

Going Beyond: Crisis Education

Implementing crisis management at all levels raises awareness of risks and the need for high-speed risk management. A cyber challenge project to enable healthcare institutions to practise and share with one another is being developed, and I hope to make it a reality with our institutional players. When faced with threats, there is strength in unity. Practising together leads to comparing and sharing good ideas, which in turn leads to learning to respond quickly, help each other and anticipate whatever happens next.