Earlier this fall, as they worked tirelessly to care for patients impacted by the COVID-19 pandemic, healthcare providers faced an added challenge—cyber security attacks. Proceeded by joint warnings from the FBI and other federal agencies that attacks on the US healthcare system were imminent, these attacks couldn’t have come at a more inopportune time.
Undoubtedly aware of the added strain being applied by the pandemic, the people behind these attacks were particularly sly. They used phishing scams to distribute malicious content embedded in email attachments. Once opened, the attachment immediately installed software that locked all systems on the machine’s network. Once locked, the affected users had two options: pay a ransom to unlock the systems or wipe the system clean of all software and restore from backups.
More than one provider in our region faced this dilemma, and as far as we know, no one paid the ransom. Instead, each chose to restore from backup—a process that can take as long as a month (or more) to fully complete. During the process of recovering the systems, providers without access to their electronic health records (EHRs) adjusted. They used paper charts and invested an enormous amount of time and resources to restore their systems.
This process is generally described in an organization’s business continuity and disaster recovery (BCDR) plan, which, I can assure you, is never a popular topic of conversation—even at a cocktail party for cybersecurity professionals. But I’m going to talk about it anyway. No, I’m not going to talk about Hixny’s BCDR plan, or the quick, decisive action we took to protect ourselves and our participants. Instead, I want to use Hixny as an example to talk about the role health information networks play—or should play—in the BCDR plans of their participants.
Business continuity, the BC part of BCDR, is about how an organization plans to continue operating during and after a disaster. In this case, all of the impacted organizations in our region quickly realized Hixny could provide them access to their own information via our provider portal. While our direct connection to them had been suspended to ensure that we (and our non-infected providers) were safe, Hixny quickly set up separate user accounts and assisted providers with accessing information that was recorded in their EHR right up to the point it went offline. As one provider put it, “This is a life saver! We can even get last notes!”
Facilities also found Hixny was an integral part of disaster recovery, the DR part of BCDR that describes how an organization plans to recover from a disaster. In this instance, if the backups themselves were impacted by the attack, or if there was a gap in time between the last backup and the beginning of the attack, the files that would typically be used to restore systems are themselves incomplete. As you can imagine, a period of “missing data” could have significant implications on patients and providers. Hixny was again able to help fill in those gaps and assisted impacted facilities locate and restore data to their systems.
During their recovery process, we saw a 1,500 percent increase in Hixny use among impacted facilities. We also saw an increase in patient access of records during that time period, both through our online portal and through third-party apps used by a few of our participants. This indicated that both providers and patients recognized the need for information and sought out all ways to find it.
So, does your BCDR plan include your health information network as a vital component of both business continuity and disaster recovery? If it doesn’t, it should. As we’ve all just seen, it can play a critical role if your practice or facility succumbs to a cyberattack.