Abstract

Background: In a healthcare system reliant on technology to enable care, threat actors are continually seeking to gain access to healthcare information technology (IT) systems. Cyber-attacks on Canadian healthcare infrastructure are on the rise and have dire impacts on clinical operations and safety¹. The Simulation Program at Unity Health Toronto, with its extensive experience with translation simulation, co-designed tabletop exercises that identified current state and resiliency of our systems.

Objectives: We used simulation to test the resiliency and continuity of our organization during a prolonged IT downtime (Code Grey). Collaborating with IT and Emergency Preparedness, the Simulation Program aimed to identify and document: 1) a clinical response to a complete IT systems outage; 2) key leadership decisions related to patient care; and 3) leadership decisions related to ransom demands.

Innovation: Translational simulation is a tool to help improve patient care and health systems through identification of safety and performance issues². Two translational simulation tabletops were designed to identify gaps in infrastructure and decision-making processes in relation to a cyber-attack. First, a clinically focused tabletop tested a unit’s response to a prolonged Code Grey in key contexts, e.g. a code response. The second, an Incident Management Team tabletop focused on testing the initiation of a Command Centre without network communications, identifying (un)available information, Code Grey specific impacts, and IMT decisions including ransom demands.

Impact: Planning and executing these simulations allowed teams to identify ‘at risk’ departments/areas and implement ‘quick wins’. These included: leveraging device management software on corporate phones, purchasing infrastructure for communication alternatives and working with external vendors to create redundancy for key infrastructure. The IT and Communications departments were able to test documented emergency plans, and the organization now has new knowledge to prioritize preparedness work for the organization. 

References:

1. Wilner, A. S., Luce, H., Ouellet, E., Williams, O., & Costa, N. (2021). From public health to cyber hygiene: Cybersecurity and Canada’s healthcare sector. International Journal (Toronto), 76(4), 522–543. https://doi.org/10.1177/00207020211067946
2. Nickson, C. P., Petrosoniak, A., Barwick, S., & Brazil, V. (2021). Translational simulation: from description to action. Advances in Simulation (London), 6(1), 6–6. https://doi.org/10.1186/s41077-021-00160-6