Resilience against IT attacks in hospitals : Results from an exercise in aGerman university hospital

Abstract

According to the legal definition healthcare systems and their components (e.g., hospitals) are part of the critical infrastructure of modern industrial nations. During the last few years hospitals increasingly became targets of cyber attacks causing severe impairment of their operability for weeks or even months. According to the German federal strategy for protection of critical infrastructures (KRITIS strategy), hospitals are obligated to take precautions against potential cyber attacks or other IT incidents. This article describes the process of planning, execution and results of an advanced table-top exercise which took place in a university hospital in Germany and simulated the first 3 days after acyber attack causing atotal failure of highly critical IT systems. During afirst stage lasting about 8 months IT-dependent processes within the clinical routine were identified and analyzed. Then paper-based and off-line back-up processes and workarounds were developed and department-specific emergency plans were defined. Finally, selected central facilities such as pharmacy, laboratory, radiology, IT and the hospitals crisis management team took part in the actual disaster exercise. Afterwards the participants were asked to evaluate the exercise and the hospitals cyber security using aquestionnaire. On this basis the authors visualized the hospital's resilience against cyber incidents and defined short-term, medium-term and long-term needs for action. Of the participants 85% assessed the exercise as beneficial, 97% indicated that they received adequate support during the preparations and 75% had received sufficient information; however, only 34% had the opinion that the hospital's and their own preparedness against critical IT failures were sufficient. Before the exercise took place, IT-specific emergency plans were present only in 1.7% of the hospital facilities but after the exercise in 86.7% of the clinical and technical departments. The highest resilience against cyber attacks was not surprisingly reported by facilities that still work routinely with paper-based or off-line processes, the IT department showed the lowest resilience as it would come to acomplete shutdown in cases of atotal IT failure. The authors concluded that the planning phase is the most important stage of developing the whole exercise, giving the best opportunity for working out fallback levels and workarounds and through this strengthen the hospitals resilience against cyber attacks and comparable incidents. Ameticulous preparedness can minimize the severe effects atotal IT failure can cause on patient care, staff and the hospital as awhole.