Healthcare Business Continuity at Risk
Healthcare cyberattacks are becoming more frequent and more disruptive to critical operations. Earlier this year, a cyberattack crippled a major U.S. health system, disrupting activities across 140 hospitals in 19 states. The attack rendered critical systems unavailable, including EHR, MyChart, phone systems, and the ordering and verification systems used to procure procedures and medications for patients. In some cases, emergency services experienced disruptions as well.
EHR access was not fully restored for over a month. During this time, healthcare providers and patients had to rely on paper files and manual communication, which were not only inefficient but potentially out of date.
According to the World Economic Forum:
- “The healthcare industry has become a prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations.
- In 2023, the healthcare industry reported data breaches costing an average of $10.93 million per breach — almost double that of the financial industry, which came in second with an average cost of $5.9 million.
- Cyberattacks on healthcare organizations can put patients’ lives and entire organizations at risk.”
How Does Cloud Read-Only Help Healthcare Disaster Recovery?
Three years ago, Epic introduced the concept of using a Cloud Read-Only (CRO) environment to provide access to critical EHR data during a ransomware attack. Sophisticated attacks may target and render Epic Production, Reporting, and DR environments inaccessible, leading to operational shutdowns and compromising patient safety. An Epic CRO environment can be effectively air-gapped from other environments to minimize the effects of other compromised systems. While Epic CRO doesn’t provide full EHR functionality, it can deliver access to up-to-date critical patient care data within minutes of a cyberattack.
Deaconess Health: Preparing for Disaster
Learn how Vervint created a cloud-based solution to help Deaconess ensure business continuity and patient care – even when disaster strikes.
Benefits of an Epic CRO Environment
- Allows healthcare providers to access vital information such as patient demographics, allergies, medications, lab results, and clinical notes during a production outage.
- Reduces the risk of data loss and corruption potentially resulting in reduced cyber insurance premiums.
- On-demand scaling can minimize the operational costs of an Epic CRO environment.
- Improves the compliance and auditability of recovery systems, as the underlying cloud infrastructure provider follows industry standards.
Epic in the Cloud: Why move? Why now?
If you’re looking for a place to start understanding Epic in the cloud, why it matters and why your organization should care, you’ve found it!
Best Practices for Epic CRO Business Continuity
Healthcare cyberattacks will continue to be a concern for organizations looking to protect patient care and manage business continuity. In addition to the guidance published by Epic, Vervint recommends and incorporates the following practices when implementing Epic Cloud Read-Only environments:
Organizational Isolation
Implement Epic CRO environments in a cloud organization or tenant that is separate from the one used for other cloud operations. This prevents breaches of the Epic CRO environment if a cloud organization or tenant’s domain-level administrative credentials are compromised.
Identity Isolation
Incorporate an isolated identity solution into Epic CRO environments instead of using corporate identity solutions such as Active Directory. Minimize the isolated identity solution to facilitate only required administrative access and operations of the Epic CRO environment. Epic-native authentication with MFA is recommended for end-user access.
Network Isolation
Minimize required network connectivity between production networks and the CRO environment according to Epic guidelines. For additional security, we recommend implementing zero-trust network isolation within the CRO network using cloud-native services such as NSGs and firewalls.
Management Isolation
Many cyber breaches are the result of poor administration practices or the compromise of administrator credentials. This can be mitigated with isolation of the management and administration of Epic CRO environments (ideally to a third party). To this end, Vervint offers a fully-managed Epic CRO solution on Azure with certified Epic administrators.
Cloud-Native Services
Use cloud-native services whenever possible instead of third-party applications for firewalls, load balancers, etc. Cloud-native services provide on-demand scaling while significantly reducing the cost and complexity of the solution.
Infrastructure-as-Code (IaC) Pipelines
Deploy and administer the Epic CRO environment using IaC pipelines for additional testing, auditing, and rollback capabilities. This further reduces the need for elevated administrator access as all changes to the environment are performed through code that is checked in, reviewed, and then approved for deployment.
Ready to Disaster-Proof Your Organization?
Your healthcare organization needs resilient, robust, well-architected infrastructure solutions that will help support patient care, regardless of the circumstances. With over 20 years of experience helping healthcare providers design and implement Epic infrastructure solutions, Vervint is a premier partner for your EHR platform strategy.
It’s easy to get started. Vervint can help you design a robust disaster recovery and CRO strategy that’s aligned to your unique business and technical goals, costs less, and offers more flexibility! Schedule a meeting with one of our experts today to start the conversation.
3 Challenges in Modernizing Healthcare Technology
Many healthcare organizations are faced with the urgent requirement to update legacy technology to help their businesses succeed in a competitive environment.