I think there are no plans because the risk the backup procedures create is high enough to make it more prudent to just shut down.
Miscommunications in hospitals are a significant risk, even with EHR (thus the original requirements for EHR). If we assume a full IT outage, then EHR is effectively a non-option. That means we're probably back to using paper. Except now, no one uses paper outside of emergencies, so the original risk of miscommunication with paper is now compounded by the lack of familiarity with it. That problem is going to get worse over time as the medical personnel who used to work entirely on paper retire and are replaced with younger people who have never worked on paper outside of emergencies.
Redundant systems are also harder to create for IT outages vs generators. Generators are simply providing an alternate source of a basic substance. In IT outages you have to consider supplying alternate sources of substances (Kubernetes is an example, as it manages many sources of CPU and network) as well as circumstances where the well of your substance is poisoned (i.e. someone put an infected file in an S3 bucket, or someone is running SQL injection attacks). Solving the first problem is easy, with things like high availability, Kubernetes, etc. The second problem still seems to be an open question; I've never seen a solution that really addressed it other than to backup frequently and try to make sure that your time to recovery is low.
I think the more sensible solution is to pursue what we're doing currently, and change your SLA from "hospital is available to patients" to "medical service is available to citizens within X minutes". We have redundancy in the form of multiple hospitals. Each hospital should be as reliable as possible, but a hospital failing is inevitable under some circumstances. Then we just need to focus on maximizing the efficiency with which we route patients to hospitals. The article says it took an hour to make a 20 mile drive. There has to be a way to improve that
I'm sorry you got hung up four words into my comment and were so upset you couldn't continue on to words five and beyond. I am amazed at your ability to divine, from four words alone, my passionate desire to censor the internet, whatever that means.
Or, you know, a hack that includes no ransom demand could easily be what is commonly called "griefing" (word #5), or perhaps something else in a similar vein, aka "etc" (word #6), and as I said, are not lighthearted fun, despite being activities often engaged in by people who don't consider the effect of their actions on others.
It occurs to me now that pretending to deliberately misread my comment as the opposite of what it actually says is first-class trolling of the fun and games variety. Well done, you! Odd context, given the severity of the issue at hand, but carry on.
No, the hospital was held ransom, and a patient died because of a ruthless criminal's greed. I understand that there is a desire to improve security, but it does not mean that 'hackers' are innocent.
No, your parent poster is correct. Blame goes to the negligent persons responsible for the IT system and everyone else up the chain. They are at fault for getting in the first place into the situation where the ransom attack was possible. The state prosecution should have a field day.
To make this crystal clear: they did not patch their software that was already vulnerable for half a year, and there was no supervision to enforce it getting done.
Hospitals need to be connected. They need to send and receive EMRs from other hospitals. They need to receive security updates for their own software (eg Windows has a Bluetooth vulnerability... someone could hack from inside). Medical providers need to look up information and consult doctors in other areas if a patient is being transferred.
The solution here does not need to be “operate hospitals in digital isolation.”
I'd argue that hospital computers shouldn't even have Bluetooth, but that aside, you can still achieve outgoing communication without allowing incoming communication. Yes, a hacker might break into an office, hold an employee at gun point and gain access to their account and then move laterally, but that's a very different threat model than "somebody ran an exploit scanner on the university's AS and encrypted our servers".
Surely there should be some thought put into how to operate a hospital in case of a network/IT outage.