Technology Infrastructure: Is Your Continuity of Service at Risk?

Healthcare systems must minimize the vulnerability of their infrastructure and information systems to growing threats. This means adopting an appropriate mix of security measures, business continuity practices and emergency management planning measures to establish adequate response procedures for disruptions and natural disasters.

According to more than 31 research articles, the healthcare industry is slow to adopt the necessary measures to ensure the security of its stakeholders’ data, in this case, its employees and patients. In an article published on June 3, 2020, on the Radio-Canada website [French only], we learn that “the number of cyberattacks against the Canadian healthcare system jumped by 15% between 2018 and 2019.”

To face this threat, facilities must make a financial and time investment to protect technological infrastructures and to support service continuity. Despite both federal and provincial recommendations, this remains a major challenge, since healthcare facilities are complex organizations with many interdependent technologies.

The Healthcare Network – A Strategic Infrastructure

The security of strategic infrastructures, including those of healthcare systems, is an unavoidable state security issue. According to the Ministère de la Sécurité publique du Québec [French only], a strategic infrastructure is an infrastructure that provides a service of great importance to society. A breach would have major consequences for the health, safety or well-being of citizens or for the efficient functioning of government. or well-being of citizens or for the efficient functioning of government.

The cyber vulnerability of the provincial healthcare system’s technology infrastructure results from the accumulation of vulnerabilities in individual hospitals and other facilities. Computer applications are now linked together in real-time, which means that any loss of data can affect the entire ecosystem and activities of an organization. It is advisable to refer to the Synoptic table of key measures grouped by axes and objectives [French only] for all recommendations developed by the Government of Quebec.

The National Critical Infrastructure Strategy notes that a failure, breakdown, virus or human error in one of these facilities could jeopardize the entire healthcare network infrastructure, depending on the interdependencies of the affected computer system. In 2019, for example, a major blackout affected five hospitals in Montreal [French only]. For this reason, all CISSS and CIUSSS must move forward together to ensure that the resilience of critical infrastructures is strengthened and to make the industry less attractive to cybercriminals, and therefore less vulnerable in the event of a natural disaster [French only]. For this reason, all CISSS and CIUSSS must move forward together to ensure that the resilience of critical infrastructures is strengthened and to make the industry less attractive to cybercriminals, and therefore less vulnerable in the event of a natural disaster.

Real-Life Cases and Responsibilities

Events experienced by some facilities demonstrate the importance of protecting these infrastructures and having a quick action plan to deal with IT service continuity threats.

Among the many responsibilities of hospital IT management is that of ensuring the security of the IT infrastructure to guarantee, among other things, the continuity of services, including those provided to patients. The security of infrastructures and the importance of business continuity depend first and foremost on the culture of each organization. According to one of the CIOs interviewed in the scientific article Cybersecurity in Hospitals: A Systematic, Organizational Perspective, “Our culture wasn’t like this seven years ago…Bad things have had to happen at times. Nothing affects change like someone who makes a mistake.”

In Quebec, here’s what Steve Waterhouse had to say in an interview with La Presse [French only]: “In IT, as long as there’s no accident, we tell ourselves that we’ll deal with it if it happens. That’s where it hurts the most, and once again, it’s the people who pay the price.”

It would be a shame to wait for a disaster to drive the necessary change when protective measures can be implemented. The loss of data in a healthcare facility would be particularly catastrophic, because of the potential for medical errors with serious clinical consequences and deaths directly related to a breakdown in computer systems.

Ensuring Service Continuity in the Event of a Disaster

The purpose of a business continuity plan is to ensure the continuity of critical IT services in the event of a disaster. This plan must allow facilities to restart operations as quickly as possible (Recovery Time Objective, or RTO) with minimal data loss (Recovery Point Objective, or RPO) by following pre-established procedures.

According to Stéphane Dumont, Lumevi Director of Technical Solutions, best practices dictate three phases to maximize the availability of the technological infrastructure in the event of a disaster. First, data must be secured with a backup copy, one of the essential components of a continuity plan. Then, it is necessary to maintain current solutions and carry out migrations or version upgrades in due time. Finally, the team in charge must set up and implement a recovery plan and process for computer systems.

Critical success factors are planning, documentation of the impact of each process, and rapid activation of the plan. The IT management team must define and establish its RTO and RPO. This plan must be regularly tested to validate procedures, ensure that the plan is complete and achievable, and guarantee its success. As a result, the team will be able to detect incidents as early as possible in order to minimize impacts, reduce recovery efforts and maintain service levels.

The cooperation of the various sectors, asset holders and users is critical to the success of the recovery plan. The impact assessment must be carried out by a multidisciplinary team that will offer its analysis and commitment.

In the COVID-19 Context

The Canadian Centre for Cyber Security alerts facilities that [French only] “the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic.”

Lumevi advises the implementation of backups on systems that previously appeared less critical. The pandemic highlighted the ongoing need for data availability to support the monitoring of statistics and patient care episodes.

The pandemic was also a reminder that it is essential to remember the right reflexes, and to test recovery plans, backups and data recoveries. Security drills and exercises can be implemented to provide a better understanding of roles and responsibilities during an incident, while reinforcing inter-team synergies, validating strategies, and ensuring that the continuity plan is up to date. Simulations of critical system failures can be helpful to validate the ability to recover and detect issues, such as non-functional backups.