Last month, a bipartisan group of senators introduced the Health Care Cybersecurity and Resiliency Act of 2024, the latest in a series of proposals aimed at protecting healthcare organizations from cyberattacks. Whatever the fate of these bills, the message for business continuity (BC) practitioners is clear: their existence underscores the threat to patient data and life safety—and the need for healthcare organizations to elevate their cybersecurity practices.
The Health Care Cybersecurity and Resiliency Act of 2024 was unveiled in November by Dr. Bill Cassidy, R.-La., alongside Sens. Mark Warner, D-Va., John Cornyn, R-Texas, and Maggie Hassan, D-N.H. The four are members of a working group on healthcare cybersecurity that was set up a year ago.
The bill, focused on rural and underresourced healthcare providers, would improve healthcare organizations’ ability to defend against cyberattacks by providing training grants on cybersecurity best practices. It also pushes for more coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Agency (CISA).
The bill comes in response to the recent alarming spike in cyberattacks on healthcare organizations. These attacks have resulted in the theft of the private health information of millions of people and disrupted care delivery, sometimes for days, posing significant risks to patient safety.
“Cyberattacks on our healthcare systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption,” said Warner.
The bill joins other recent proposals intended to improve Americans’ healthcare cybersecurity, including the Health Infrastructure Security and Accountability Act, the Healthcare Cybersecurity Act of 2024, and proposed updates to the HIPAA Security Rule.
It’s too soon to worry about mastering the details of these proposals. We don’t know which of their provisions, if any, will become law.
However, their existence carries a clear message for BC practitioners: It underlines the seriousness of the threat cyberattacks pose to patient information and life safety and reminds us of the need to do everything we can to help our organizations develop a culture of digital resilience.
Below are some tips and considerations to help healthcare organizations get better at fending off and recovering from cyberattacks. (They also apply to non-healthcare organizations.)
Healthcare organizations must determine and focus on their highest-priority systems and equipment critical to patient safety and operational continuity. This might involve creating a priority list—such as identifying the top 50 most essential assets—and directing protection efforts accordingly. Key resources might include surgical robots, imaging devices, IV pumps, and telemetry systems. Critical systems can be isolated from broader networks to reduce risk, with contingency plans in place to ensure functionality during a cyberattack.
Transparency about a healthcare organization’s cybersecurity posture can build trust with patients, partners, and regulators. However, sharing too much detail publicly can inadvertently help attackers understand vulnerabilities or protective measures.
Completely eliminating cyberthreats is unrealistic, but organizations should focus on minimizing risks by reducing exposure and addressing vulnerabilities to bolster their defenses against attacks.
Many companies have made significant strides in implementing robust technical measures such as firewalls, encryption, and automated monitoring tools to guard against cyberthreats.
Despite solid technical defenses, human error poses the greatest risk, particularly through actions like clicking on phishing links or neglecting to adhere to security protocols.
Improving employee cybersecurity awareness through training and instituting accountability for repeat offenders engaging in risky online behaviors can significantly strengthen organizational defenses.
Social engineering attacks, like phishing and vishing (voice phishing), are a growing threat in healthcare. Security training programs should go beyond basic advice to avoid suspicious emails and teach employees how to recognize and respond to sophisticated tactics, including phone scams where attackers impersonate IT staff or vendors.
Regularly updating and patching software is vital for closing security gaps and safeguarding systems from potential exploits.
Outdated systems often introduce significant vulnerabilities. While business continuity and IT teams can highlight these risks, addressing them requires buy-in and action from organizational leadership.
Organizations should ensure their operations can continue even if systems are compromised. This includes having manual processes as a backup and detailed strategies for maintaining critical business functions.
Effective business continuity planning requires having well-defined procedures for shutting down and restarting systems. These plans should address scenarios like isolating specific affected areas or performing a rapid, organization-wide shutdown while safeguarding critical operations that must continue.
By adopting these strategies, healthcare organizations can enhance their ability to prevent, mitigate, and recover from cyberattacks, ensuring greater protection for both patients and operations. While tailored for the unique challenges of healthcare, these practices are equally valuable for strengthening cybersecurity across all industries.
The increasing frequency and severity of cyberattacks on healthcare organizations make it clear that robust cybersecurity is no longer optional—it is a critical component of patient safety and operational resilience. While legislative proposals like the Health Care Cybersecurity and Resiliency Act aim to address systemic gaps, the responsibility ultimately rests with individual organizations to take proactive steps to strengthen their defenses.
By prioritizing critical systems, addressing human vulnerabilities, and maintaining agility in the face of evolving threats, healthcare providers can build a culture of digital resilience. These efforts not only protect sensitive patient information but also ensure that organizations can continue delivering care in the face of adversity, safeguarding the trust of the communities they serve.