Cyberattacks targeting health care organizations have increased in scope and impact over the last decade. These include “ransomware” attacks in which hackers lock organizations out of their own internet-connected files, systems, or networks until they pay a ransom. These attacks disrupt patient care and stress regional health care ecosystems.^1,2

The February 2024 cyberattack on Change Healthcare, a UnitedHealth Group subsidiary, demonstrated how such attacks can not only impact one hospital or health system but also ripple across all health care sectors due to consolidation in the industry. While much of the literature focuses on cyberattacks disrupting care for acute emergencies such as heart attack, stroke, or sepsis, they can also cause serious problems for patient health and clinic finances in primary care.^3,4 Family medicine clinics increasingly rely on systems connected to the internet — EHRs, pharmacy portals, laboratory systems, clinical image viewers, etc. — and the abrupt absence of these tools can drastically disrupt workflows if the practice is not prepared. Scheduled downtime intended for brief updates to computer systems is not sufficient preparation for cyberattacks, which can affect multiple technological systems for weeks or even months with no warning.^5,6

Preventing cyberattacks requires a detailed, multipronged approach that is beyond the scope of this article (for that, we recommend this 2023 federal report. Below, we offer guidance on how practices can keep patient care and revenue flowing even if a cyberattack causes prolonged tech outages.

CREATING A CYBERSECURITY RESPONSE PLAN

Clinics should prepare for the possibility of cyberattacks by creating a cybersecurity response plan, which involves the following:

1. Identify workflows with tech vulnerabilities. List the key workflows your practice follows before, during, and after a patient visit, and identify those that rely on internet-connected systems. This includes scheduling patients, accessing their contact information, checking patients in and out, processing orders (for referrals, labs, imaging, medications/refills, etc.), documenting visits, billing payers and patients, and reporting quality metrics.

2. Make technology-independent backup plans. When you have identified that a cyberattack has occurred, you will want to disconnect any affected devices in collaboration with your clinic's IT service provider and move to alternative workflows. As part of your current downtime procedures for regular IT maintenance, you likely have a number of backup processes in place. Consider whether they are adequate to withstand a prolonged disruption due to cyberattack and what additional backup plans you need to create.

For example, paper forms for ordering labs, billing payers, or documenting visits that you may have stocked to cover just a brief scheduled outage may need to be expanded to bridge weeks or even a month. The information you document on these paper forms can be logged in the EHR after the cyberattack is resolved and online systems are restored.

Another example is your clinic schedule. Many clinics now use internet cloud-hosted scheduling software, which may not be accessible during a cyberattack. Having a backup schedule — a regularly updated offline schedule with patients' appointment times and contact information as well as staffing schedules for a fixed future increment (e.g., a month) — will alleviate confusion and difficulty during a cyberattack. Designate a staff member to print a copy or save it to their computer's hard drive (not to the network or cloud) at the end of each work day.

3. Identify alternative communication systems. Your clinic's communication systems also may be disrupted during a ransomware attack. Cyberattacks can lock you out of your email system and may cause outages of Voice over Internet Protocol (VoIP) phone and e-fax services as well. If your practice uses those, have a backup plan that protects patient privacy, whether that's maintaining a single non-VoIP phone/fax number or having staff use personal devices with encrypted apps such as Signal (for audio calls), Doctolib Siilo (for text messaging), and Proton Mail (for email). Although HIPAA does not require encrypted communication, it is recommended practice.⁷

Cyberattacks can also cause a clinic's telemedicine system to go down. If telemedicine is a key part of your practice, designate someone with clinical expertise who can triage those appointments in the event of a cyberattack, deciding which can be rescheduled and which should be converted immediately into in-person visits.⁸

4. Have a plan for seeing patients. Even with proper preparation, the transition to offline processes may temporarily reduce your clinic's capacity to see patients. Establish procedures for triaging, cancelling, or rescheduling in-person appointments as needed, and identify offline ways to communicate with individual patients about their appointments (e.g., non-VoIP phone) and with the public at large about your facility's capacity to accept walk-ins (e.g., putting a sign on the door or notifying local media). Identify a facility or facilities to serve as a referral site if the disruption to your operations is substantial enough to prevent basic care or services, such as requests for prescription refills. With a proper plan in place, practices should expect this level of disruption to last no more than a day or two.

5. Identify at-risk patient groups. Certain patient populations may be at risk of disproportionate harm from a cyberattack. Consider maintaining an offline database of these patients and their contact information so you can prioritize their care, and designate a staff member to notify them of how to get in touch with you if you have had to move to alternative communication systems. Vulnerable patients may include the following:

• Patients with unstable chronic conditions for whom cyberattacks may disrupt essential physiological monitoring⁹ (hospital staff might be able to order in-house imaging or labs through a runner or paper forms during a cyberattack outage, but outpatient clinics without such services will need to make plans to order testing without internet-connected systems),

• Patients scheduled for follow up after a hospital admission or emergency room visit (whose care likely relies on the ability to access lab studies, medication prescriptions, and hospital records, which may be less accessible during a ransomware attack),

• Newborn patients (cyberattacks may hinder a clinic's ability to register new births, complicating follow up for these patients⁵), particularly those with conditions such as hyperbilirubinemia discharged from the hospital on the assumption that an outpatient clinic can monitor their bilirubin level (in the event of a cyberattack, the discharge weight and previous bilirubin levels may be unknown, which can make a critical difference in the decision to send a baby to the ER, initiate home phototherapy, or continue to monitor as an outpatient),

• Patients late in pregnancy for whom cyberattacks can impact birth procedures (e.g., loss of access to blood products and surgical theatres leading to cancellation of planned C-sections and changes to labor plans for pregnant mothers¹⁰),

• Patients in cancer treatment (cyberattacks may prevent radiation-guided treatment, block access to cloud-based chemotherapy platforms, and force clinicians to try and reconstruct complex cancer treatment regimes from memory¹¹),

• Palliative care patients (a shutdown of IT systems during a cyberattack can cause difficulties in accessing important palliative information and medications, leading to obstructed care at a critical time for these patients and their families).

6. Prepare to continue business operations without online systems. All cybersecurity preparedness plans should include a process that allows the practice to temporarily convert to paper billing. Insurance companies may have strict timelines for filing claims and supporting documentation and could deny late filings even if the delay was due to a cyberattack. Practices can prepare by storing preprinted billing documents with a list of each insurer's fax number and mailing address in a secure box onsite.

Practices should also prepare for the possibility that they will be unable to accept payments from patients electronically or in-person via credit card during a cybersecurity event. Practices may choose to defer these payments until electronic services are restored, but they still need an offline way to track what's owed. This requires having paper documents that include a place to write account balances and a space for the patient's signature acknowledging the debt (carbon copy forms allow you to give one to the patient as well as keep one for the practice's records). If deferring patient payments will cause too many cashflow difficulties, work with a credit card servicer that offers offline processing.¹²

IMPLEMENTING THE CYBERSECURITY RESPONSE PLAN

Once you have developed a cybersecurity response plan, you need to test it, as you would with a fire drill. Running cybersecurity “tabletop exercises,” or simulations, helps practices find weaknesses in their response plan and helps the cybersecurity response team get comfortable filling their roles. Larger practices may have an in-house IT team that can design such a simulation. Smaller practices can use national guidance and existing research studies as templates.^13,14

As with all emergency preparedness plans, cybersecurity drills should be performed and reviewed yearly and updated when a clinic adopts new technology (e.g., VoIP phones). If a practice is part of a health care system, cybersecurity plans will need to align with the response plan of the larger institution. Points of contact to coordinate plans include an organization's chief information security officer (CISO) or emergency manager.

While a response plan can help clinics safely continue operations during a cyberattack, it does not address the cyberattack itself. For that, practices should contact their IT teams, as well as their local FBI office and the federal Cybersecurity and Infrastructure Security Agency (CISA). CISA is the one-stop location for reporting cybersecurity events through their portal page, via email at SayCISA@cisa.dhs.gov, or by phone at 1-844-Say-CISA. Since 2022 the Cyber Incident Report for Critical Infrastructure Act (CIRCIA) has required “covered entities” to report cybersecurity and ransom-ware events to CISA within 72 hours. Your response plan should assign one member of the cybersecurity team to do this.

Having a plan and drilling it regularly should give practice staff more confidence in their ability to weather a cyberattack, but it's still likely to be stressful if one occurs. Just as you check in on your at-risk patients, it may be worthwhile to check in on your staff to inquire about burnout. It may also be helpful to let them know that you have contacted authorities and keep them updated on any developments in the attack investigation, as well as any potential timeline for restoring affected systems and returning to normal processes.

FUTURE DIRECTIONS

Cyberattacks in health care are still a relatively new phenomenon and further study is needed to establish standardized metrics to track post-attack clinical and financial outcomes and assess the efficacy of cyberattack preparedness plans. Our hope is that these recommendations will help raise the cybersecurity awareness and resilience of family medicine clinics that constitute a key public health resource. While preparation will not prevent attacks, we believe it can reduce harm and keep practices operational.