July 27, 2017

Cyber Security of Medicare: Tabletop Simulations: Part 8

By

EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eighth installment in the series. 

Hospitals can mitigate the damage from a cyberattack by engaging in simulations designed to evaluate and improve their response. One variety of simulation is the “Tabletop Exercise” (TTX).

Unlike many organizations such as banks, the healthcare sector was never designed with a view to cyber security. Over time, the role of information systems has grown. It is only in the past few years when hospitals and others have felt the full threat of cyber sabotage. Serious hospital attacks have been growing at around 65 percent each year. For organizations that think of information technology only as a supporting infrastructure for their operations, it is common to find a lack of preparation.

Hospitals are in a very special category of organizations. If they are attacked, not only do they suffer damage to their organization and information systems, but they also will become the targets of the government. Inspections, audits, penalties, and fines are all actions that both the federal and state governments might take against a hospital if it loses control of its information system.  In addition, there is the question of patient care. Since a large number of patients depend upon various medical devices, they also are vulnerable to cyberattack. Cyber can kill.

Table top exercises for hospitals, abbreviated "TTX" are the perfect way for the organization to practice how they will respond to a cyberattack.  The TTX is a complex simulation. There are participants who respond to the scenario that is given to them. At the same time, a number of observers watch what is going on and take notes for future reference. When the team of participants meet to plot their response, a number of facilitators are dispatched to help to make sure the discussions go in the best direction.  Finally, this type of simulation employs a number of data collectors who track everything that happens and compile data that can be used later when making an assessment of how everyone performed.

In a tabletop exercise, first the team will receive a scenario and begin to respond. After the response has been recorded then results are calculated and saved for future analysis. The next stage is for the organization to compile what lessens it learned from the exercise. If this is done correctly, then often it will lead it to the development of new protocols.

Each simulation has a number of vignettes, which are called “Injects." These are not drug injections, instead, they are a modification in the scenario designed to challenge the participants and possibly throw them off guard. A better word for “inject” might be “monkey wrench”.

Tabletop Exercise: Scenario One

Here is an example of a scenario of the type that might form the basis for a tabletop exercise at a hospital.

The nursing staff notices a part-time security guard has started showing up an hour earlier than he needs to. Six months ago, the guard’s fiancé (also an employee at your facility) was laid off.  Without warning, several administrative employees received an email with an invitation to check out her latest vacation pictures by clicking on www.SeeMyVacationPhoto.com.  Then when they visit the website, they receive an error message such as: “404 Error File Not Found.”

Shortly thereafter the chief information officer receives an untraceable email. Inside the email she finds a file containing the electronic medical records, personally identifiable information, and credit card data for more than 1000 patients of the hospital. Along with this file is a note which states that this information plus data on an additional 5000 patients will go up for auction on the Dark Web. The bids close at midnight.

The remainder of the simulation focuses on the question of whether or not the healthcare organization was prepared for this type of scenario or in contrast, whether or not it must sustain significant damage.

This type of tabletop exercise is excellent because it brings together so many different parts of the healthcare organization. For example, the IT department, the department that handles compliance with federal laws and regulations, the department of security, and other organizations all are tested within the range of their competence.

The success of this type of exercise lies in the nature of the relationship between the different functional elements of the organization and how well they are able to coordinate with each other under extreme stress.

Scenario Two

The setting is a major trauma center. All of patient care is coordinated through an electronic medical records system. In order to keep things current, this software is updated on a regular basis. In fact, the software was updated only a few weeks ago.

The software has been working perfectly until today. The clinical support computers start to slow down, become sluggish, or completely freeze up and stop working. As a result, patient care becomes delayed. In response to this problem, the physicians in your facility began to switch over to manual procedures when they need to authenticate any patient information. As new patients continue to arrive, your healthcare facility becomes overwhelmed.

As the patient load continues to increase, your policies are changed so that only life-threatening emergencies are admitted to the facility. In general, your entire system has ground to a halt.

At this point, your director of information technology services receives notification from your sub-contractor that malware has been discovered. A worm has altered or erased entire data fields containing patient treatment information.

Scenario Three

It is a normal working day at your healthcare facility. Three of your administrative employees receive an email from the HR department. The email contains detailed instructions requesting them to update their passwords as a security measure. Conveniently, the email has a link to do this. Because many times in the past they have received emails with specific instructions regarding the use of the information system, they quickly update their passwords.

Within a few days, the chief financial officer discovers discrepancies in the accounting records. A quick investigation reveals that a cyberattack has been sustained against the billing system. It already was known that the system had a vulnerability, but unfortunately, this problem was not patched in a timely manner.

At this point, outsiders now control all of the billing system including receivables. The money cannot be recovered.

Shortly thereafter, the chief executive officer (CEO) receives a demand to pay $1 million dollars within 24 hours. If this payment is not received, then the entire database will be destroyed and all of the credit card information will be auctioned off on the Dark Web.

Not only is there an existential threat to the receivables for the facility, it also is the case that your system no longer is compliant with payment card industry requirements. As a result, your organization now is subject to penalties and fines. You quickly learn that the organization must pay out a minimum of $3 million to notify all patients whose credit card information has been taken and on top of that pay for one year of credit monitoring for each patient.

The Theory of Tabletop Simulations

It often is said that the organization which works best is one that practices the most. In the case of developing a robust response to cyber threats, the Department of Homeland Security has found that conducting tabletop exercises on a regular basis can greatly improve one's chances of surviving a severe cyberattack. The theory of tabletop simulations is that each round of practice leads to an evaluation which then leads to a change in procedures (protocol). The organization learns to communicate in the ways that are necessary given these extraordinary circumstances. It becomes possible to measure response time not merely within departments, but across the entire organization as a whole on a cross functional basis.

Have you ever thought about what happens when two football teams meet on the field? Let's assume for a moment that each team has exactly the same strength and speed. In this case, when all other conditions are experimentally controlled, so to speak, we find that the team which has practiced the most is the one that will win every time. We practice because in doing so we discover unexpected problems that can occur and if we are careful and keep records we change our procedures so the next time these unexpected events occur they can be dealt with effectively.

The cyberattack war against the United States and all of its organizations including the healthcare sector shows no sign of abating. We can only be sure of one thing: attacks will continue, attacks will become more severe, attacks will be more difficult to defeat, and attacks will become deadlier. At the heart of this problem is the simple fact that there is no such thing as a completely secure information system. It simply does not exist. Therefore, the art of management is knowing what to do in the best way when faced with the inevitable problems posed by a cyberattack.

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • Condition 44: Confusion is Prevalent
    Condition 44 is one of three perplexing issues reviewed by the author.  Last week was a boring regulatory week, other than the continuing talk about the proposed changes to evaluation and management (E&M) coding. That continues to dominate discussions, with…
  • The Proposed 2019 E&M Overhaul: How Changes Will Impact Your Bottom Line
    Practices need to get a handle on both their financial and RVU impacts. Recently, the Centers for Medicare & Medicaid Services (CMS) released a proposed rule that would change the face of evaluation and management (E&M) codes as we have…
  • CMS Proposes 50 Percent Reduction in Claims Submitted with Modifier 25
    The proposal is on the table as part of proposed E&M changes. By now I am sure that everyone is well aware that the Centers for Medicare & Medicaid Services (CMS) has proposed modifications to the reimbursement model for the…