The Joint Commission releases guidance on cyberattack response

In the Joint Commission's Sentinel Event Alert, the organization provides guidance on preserving patient safety following a cyber attack. 

What happened

The Commission's guidance focuses on preventing cyberattacks, training, and testing all staff to decrease vulnerability, and ensuring that patients can receive vital services in a timely manner. 

In their report, the commission noted that many attacks occur in small practices, while others also affect large organizations. Regardless, an attack can significantly impact patients' ability to receive treatment. Some attacks can also lead to financial and operational implications. 

Related: Rural Illinois hospitals set to close after ransomware attack

Why it matters

The guidance was issued in response to rapidly increasing cyberattacks. The authors also believe that many organizations are reluctant to report attacks, leading to underestimated data. Nevertheless, according to the Department of Health and Human Services, 707 data breaches were reported in 2022, affecting more than 51.9 million patient records. 

Furthermore, because of the frequency of attacks, indemnity insurance is often difficult to get and exceptionally expensive. 

Lastly, many organizations now use internet-connected technology, cloud-based services, and third parties, which requires further protection and security than having all data in a contained system.

Going deeper

The report included 7 suggestions to prevent and respond to cyberattacks. The report also emphasized that all staff, not just IT employees, must be prepared, as any device can potentially be vulnerable to an attack. 

The document suggested the following actions be taken by hospitals:

1. Evaluate hazard vulnerability analysis (HVA) and prioritize necessary hospital services. The report believes necessary services include pharmaceutical services, medical records, laboratory, radiology and pathology services, and other critical services. 
2. Create a downtime planning committee that includes a variety of specialists who can prepare for attacks and mitigate consequences. These members may proactively conduct risk assessments and evaluate procedures and resources. 
3. Develop downtime plans and procedures that are regularly updated. Downtime plans may include how the hospital will operate without its network and continue vital operations. 
4. Designate response teams that will quickly mobilize when an event occurs. These teams will also evaluate the severity of an attack and what response steps are required. 
5. Train team leaders, teams, and all staff on downtime operations to ensure staff are still able to provide critical services without significant delay. 
6. Establish situational awareness with effective communication to patients. The report advises that hospitals quickly communicate with patients and families to ensure all are aware of what operations are continued or delayed. 
7. Evaluate response after the attack to ensure a smooth recovery and improved response procedures. While no response is perfect, an event can serve as a learning opportunity to improve cybersecurity strategies.  

The big picture

The Joint Commission argues that attacks are no longer an "if" but a "when." Organizations must be ready to act and continue operating despite these situations.

By creating and evaluating procedures for all staff members and maintaining effective communication, many hospitals are capable of continuing to serve patients. 

Related: HIPAA Compliant Email: The Definitive Guide