Crisis Management: Responding to a DisasterThe Role Business Continuity Plans Can Play After Hurricanes as Well as Cyberattacks
The impact of Hurricane Ida, including huge power outages, points to the importance of healthcare organizations and others having comprehensive business continuity and disaster recovery plans in place for natural disasters as well as cyberattacks.
"The lack of power, water and climate control all can be caused by physical or cyber incidents," says Doug Howard, CEO of security consultancy Pondurance. "More and more, everything relies on cyber preparedness."
Some Louisiana healthcare providers hit hardest by Ida - including Ochsner St. Anne Hospital in Raceland and Leonard J. Chabert Medical Center in Houma - were forced to transfer patients to other care facilities or postpone procedures. And in recent months, several hospitals hit with recent ransomware attacks have had to take similar actions.
Careful planning is required for disasters, whether cyberattacks or natural disasters, business continuity experts say.
For example, "Facilities stand up incident command to ensure full communication and enact their plans that they have put together - and hopefully tested," says John Delano, southwest regional CIO at AdventHealth, who is also a healthcare security strategist with security firm Critical Insight.
"These business continuity plans ensure nurses and doctors can still provide patient care in the absence of system availability," he says.
Many healthcare organizations "have dedicated staff who are focused on emergency planning," says Cathie Brown, a vice president at privacy and security consultancy Clearwater. "The plans are documented and tested on a regular basis."
This degree of preparedness is required by the Joint Commission, which accredits hospitals, and the Centers for Medicare and Medicaid Services, Brown notes.
"This level of planning is critical to patient safety, and hospital systems take this very seriously. The same level of planning and testing is just as critical for man-made disasters, such as ransomware or cyberattacks," she adds.
The best plans for responding to man-made and natural disasters "are those that are integrated, funded and resourced," Brown says. That can be a challenge for some organizations, and senior leadership must play a role."
Keeping the public informed about the impact of a disaster is critical, according to business continuity experts.
"The efficacy of the response is what limits the impact of the event, and part of being effective is a focus on public communication to manage perception and narrative," says Michael Hamilton, CISO at Critical Insight and former CISO of the city of Seattle.
"Organizations that are opaque during response for a significant incident risk customer flight and lasting brand damage," he says. "In a natural disaster, information can be the most valuable asset and should be aggressively disseminated."
For instance, training received by healthcare leaders in emergency management from the FEMA program NIMS, or the National Incident Management System, can help a community better respond to all sorts of crises, Hamilton notes.
"This type of response structure is scalable to all types of incidents - ransomware to asteroid strike," he says.
"A coordination group is established to provide governance, and response teams are designated. The coordination group includes legal, public communication, HR, finance and procurement, and executive leadership. Response teams report to the coordination group on regular intervals."
Ron Brown, practice director of business resilience as security firm GuidePoint Security, adds: "Man-made disasters can have as severe an impact as natural disasters. Therefore, a well-planned and executed business continuity and disaster recovery plan should effectively support an 'all hazards' approach to threats that may impact a business."
Beware of Scams
Sadly, when natural disasters strike, cybercriminals often see opportunity in the chaos, says Howard of Pondurance.
"They take advantage of the confusion to create more havoc by targeting physical infrastructure, like electric grids, fuel pipelines and water systems, with ransomware attacks," he notes. "States like Louisiana and Florida routinely see an exponential rise in cyberattacks following hurricanes."
Natural disasters cause network outages and various other disruptions. But opportunistic hackers can also lead to outages, Howard says.
"For instance, when the power goes down after a hurricane, it’s normal to assume that the outage is due to the storm, not a cyberattack," he says. "It is critical that IT and security personnel don’t miss the true cause of the outage amid the 'noise,' which could lead to an extended outage that puts further stress on a region and could even result in unnecessary lost lives."
Attorney William Moran of the law firm Otterbourg PC notes that immediately on the heels of the terrorist attacks of Sept. 11, 2001, crisis management lawyers were inundated with requests from companies to help set up business continuity plans involving the creation of independent backup systems in less vulnerable geographic locations.
"While today’s business risks arising from cybercrime and climate change differ substantially from the risk of terrorism, the concerns relating to safeguarding private data and advancing communications systems are largely the same," he notes. "Companies that refuse to implement such plans now run the risk of realizing the importance of this effort the hard way."
While healthcare entities in the path of Hurricane Ida's destruction continue to recover, the Department of Health and Human Services on Monday provided some temporary regulatory relief.
Because HHS declared a public health emergency as a result of the consequences of Hurricane Ida in Louisiana and Mississippi, HHS Secretary Xavier Becerra also temporarily waived sanctions and penalties against covered hospitals that do not comply with certain provisions of the HIPAA Privacy Rule.
That includes the requirements to obtain a patient's permission to speak with family members or friends involved in the patient’s care, distribute a notice of privacy practices and grant the patient's right to request privacy restrictions.