Where were you when the lights went out…
They didn’t? That’s great – but there may be folks out there with other ideas.
While there are certainly any number of benefits to the globalization of society, it has also increased the potential for targeting by various nefarities (it’s not a real word, but I kind of like it—think of it as a combination of nefarious authorities), which has clearly extended to hospitals and other healthcare organizations. And while straightforward armed conflict is cycling in Eastern Europe, we know for sure that target acquisition can come from a long ways away, so a couple of things to consider as a function of due diligence/due vigilance.
First up, an area that is almost the most critical piece of infrastructure of all – the electric power grid. As reported in Bloomberg Businessweek (https://www.bloomberg.com/news/features/2022-01-26/what-happens-when-russian-hackers-cyberattack-the-u-s-electric-power-grid ), the good folks at the Defense Advanced Research Projects Agency (DARPA) have been working rather diligently to prepare the nation’s electrical grid for the realities of a successful cyberattack. I’ll let you peruse the article at your leisure, but I can’t help but think how much worse an event this could be that one we’re still enduring. While there was some uncertainty at the start of the pandemic (some of which remains), most places were able to figure out a way forward and provide a safe environment for patients and staff.
But imagine trying to respond to the pandemic while relying on emergency power because of a disruption to the normal power supply. I think we all recognize that "things can get worse before they get better” in ways that might not have been clearly indicated in the past. Everything, it would seem, is much closer to us, including external threats—might be a good idea to see what preparations are being considered by your providers and what recommendations they might have to enhance your own preparations. Hopefully we will not have to deal with as steep a learning curve, but that hope seems much more tenuous. Which brings us to:
About a week before this writing, the American Hospital Association (AHA) issued an advisory (https://www.aha.org/advisory/2022-02-23-us-declares-start-russias-invasion-ukraine-introduces-sanctions-cyber-shields ) to its members regarding the increased potential for cyberattacks in the wake of Russia’s invasion of the Ukraine. The advisory includes a number of action items, including the management (documented, updated, practiced) of a “cross-function, leadership-level cyber incident response plan,” including emergency communications plans and systems.
I suspect that some of this work is ongoing in your organization, but I think you can probably anticipate some questions from regulatory surveyors in this regard as it probably represents a fairly significant threat to normal healthcare operations. Recognizing that this is probably not going to involve a “one size fits all” approach, it’s going to be very important that discussions with surveyors focus on how your organization is preparing to plan, mitigate, respond and recover from a cyber event – your organization’s role is to determine what that looks like for your place and then kick the tires to make sure that you are as prepared as possible.
About the Author: Steve MacArthur is a safety consultant with The Greeley Company in Danvers, Mass. He brings more than 30 years of healthcare management and consulting experience to his work with hospitals, physician offices, and ambulatory care facilities across the country. He is the author of HCPro's Hospital Safety Director's Handbook and is contributing editor for Healthcare Safety Leader. Contact Steve at stevemacsafetyspace@gmail.com.