Getty Images
Maintaining Business Continuity In An Age of Increased Threats
A focus on enterprise resilience can facilitate business continuity and enable organizations to tackle any crisis, from ransomware to natural disasters.
Whether it's a ransomware attack or a tornado, hospitals and health systems must be able to maintain business continuity through a crisis. Both natural and human-made threats have the power to disrupt workflows, and with patient care on the line, healthcare organizations cannot afford to lose access to critical data and systems.
While incident recovery plans are required by HIPAA and are crucial to restoring operations, they only address specific symptoms of a larger underlying need: enterprise resilience.
Healthcare organizations can better prepare themselves to withstand disasters by assessing the current threat landscape and focusing on business continuity and resilience rather than just recovery. Leveraging cloud technology can also reduce the burden on healthcare organizations to manage these threats independently, providing trustworthy solutions to protect critical data.
The Current Threat Landscape
Threats to business continuity can come in many forms. From California wildfires to flooding in the Carolinas, unforeseen natural hazards can leave organizations with full ICUs and limited access to critical on-premises data.
At the same time, bad actors have launched cyberattacks against health IT infrastructure — taking systems offline and disrupting day-to-day operations. Beyond external cyber threats, poor employee cyber hygiene may invite phishing scams and endanger even the most robust security architectures.
Healthcare records are worth up to $250 per record on the black market, compared to just $5.40 for payment card information, the next highest value record, SecureLink found. In fact, of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the FBI's Internet Crime Complaint Center (IC3) observed in a recent report.
And, HHS recently issued a brief to warn organizations of increased EHR security risks in light of recent cyberattacks. The brief recommended that organizations implement technical safeguards and heighten their cyber resilience to combat these threats.
Healthcare Has a Resilience Problem
Natural and human-made disasters appear to be drastically different problems requiring unique solutions. Organizations typically look to state and federal emergency preparedness guidelines to respond to natural disasters, while human-made disasters often require a focus on implementing sophisticated technical safeguards.
But Hector Rodriguez, executive security advisor, WWPS health and life sciences at AWS, suggested that focusing on one problem at a time means missing an opportunity to look at your framework, architecture, and solutions to address the concept of resiliency holistically.
"By treating each of those symptoms one at a time, you are not treating the real issue, which is a lack of resiliency. It’s important that organizations measure how resilient they are at an enterprise level, not just at an individual application, department, or building level,” Rodriguez said.
“This means reevaluating people, tools, and documentation policies and procedures and making sure they’re connected."
Tips For Achieving Enterprise Resilience
Research conducted by the Boston Consulting Group (BCG) Henderson Institute suggested that organizations build a resilient business model based on principles of biology. Resilient biological systems exhibit six characteristics: redundancy, heterogeneity, modularity, adaptation, prudence, and embeddedness. These characteristics can be applied to businesses to help them maintain resilience by adapting to unexpected events and optimizing efficiency.
Enterprise resilience requires organizations to take a holistic approach to security and safety. They must examine resilience in the supply chain, among employees, within applications, and even within data storage.
"You must leverage newer technologies for immutable data backups and encryption," Rodriguez advised. "The goal here is availability. If I lose access to my medical record, pharma system, or supply chain system, I will have trouble running a hospital."
Cloud technology is one of the many tools that can help organizations achieve enterprise resilience and mitigate risk. Cloud adoption may not only allow for quicker recovery but may also reduce the risk of ransomware and data breaches. Rather than a hospital dealing with on-premises patching, cloud vendors patch and update behind the scenes, reducing the risk of out-of-date systems allowing for cyber-attacks.
In addition to cloud technology, comprehensive disaster recovery and incident response plans, including practicing for an event, can help healthcare organizations maintain patient safety and prevent further damage in the face of more predictable human-made and natural threats.
Additionally, enterprise resilience strategies go beyond standard IT disaster recovery by also addressing people and processes. People resiliency requires regular training and tabletop exercises. Every individual within an organization has a role in disaster recovery, and those roles should be clearly defined and should be practiced regularly. In fact, this is the place to start – modern security awareness training is key to building a resilient organization.
Data and application resiliency is also particularly vital to healthcare due to the sector's reliance on EHR systems. When an organization loses access to its network, patient information may be completely inaccessible.
"A resilient strategy is designed to enable you to bounce back from anything that happens in your organization," Rodriguez explained. "When you are more resilient, you can handle just about any disaster thrown at you, and you can also maintain highly available systems and capabilities.”
Rather than strictly safeguarding against and preparing for predictable threats, healthcare organizations should shift their focus toward attaining enterprise resilience to ensure data security and business continuity.
"We need to stop solving problems in the past. We need to design for the future. And that's what this is about," Rodriguez emphasized. "Let's design a more resilient industry overall."
______________________________
AWS is the trusted technology and innovation partner to the global healthcare industry. As the most mature and reliable cloud platform with the broadest and deepest portfolio of healthcare solutions, AWS provides the security and privacy required to enable the highly regulated healthcare industry to increase the pace of innovation, unlock the potential of data, and personalize the healthcare journey.