Healthcare

How provider organizations can prepare cybersecurity incident response and recovery

Full Width Featured Image With Sidebar
Brian Richards
Share 0
Share 0
Tweet 0

In terms of forming cybersecurity protocols for a medical services supplier’s network and equipment, no safety strategy is unbreakable. It is not uncommon for a cybercriminal to gain access to a system; the matter is more of a timing issue than anything else.

It is essential for every company, no matter the size, to construct and test an emergency response and recovery program. If a data breach does occur, the company will be in a position to limit the harm caused and communicate to the public.

A group of professionals will be discussing the theme of incident response and recovery at the HIMSS Healthcare Security Forum taking place in Boston next month, from 1:45-2:25 p.m. at the Westin Copley Place hotel in the Essex Ballroom.

In this preview of a conversation that will take place December 9, two panel members with experience in medical cybersecurity address major topics related to how to handle and bounce back from dubious events.

An Almost Inevitable Problem

Sadly, it is virtually certain that cyberattacks will occur today due to the combination of lawless states and crime groups located in places with weak law enforcement or international extradition conventions, said Richard Staynings, the chief security strategist at Cylera, a healthcare cybersecurity supplier utilizing AI technology.

He was a member of the International HIMSS Privacy and Cybersecurity Committee, offering aid to hundreds of healthcare facilities worldwide to improve their cybersecurity risk management programs.

He stated that, aside from punishing the worst offenders by bringing them to justice, or enforcing penalties on countries engaging in unlawful activities, there is little to prevent the perpetration of such offenses. The current evidence suggests that attacks are becoming more frequent, intense, and destructive.

Staynings stated that even though attacks are unavoidable, healthcare provider organizations and governments should be ready with a plan for response and recovery. Unfortunately, healthcare often lags behind in these areas.

He stated that there are limitations in terms of resources and an intensity to focus on keeping up with compliance to stop attacks which can no longer be affirmed since there have been increasing occurrences of complex continuous threats and adversaries with a great amount of funding.

Budget and Risk Constraints

Health systems could certainly justify investing millions of dollars in cybersecurity protection, particularly the larger ones, however, many of these organizations must stick to a set budget and deal with whatever risks the boards and CEOs are willing to absorb.

He stated that it is a straightforward calculation of probability and effects that is continually evolving as the dangers evolve. It is almost certain that an attack will occur, so the objective is to limit the extent of the damage by isolating and confining it so that any kind of attack would not be successful and cause significant destruction.

The goal is to limit any data breach to as few records as possible and decrease the amount of systems impacted by an attack so that interruptions to patient care are minimized.

Due to laws and regulations, steps have been taken to ensure that confidential health information and personally identifiable information are not accessed without authorization. In terms of risk, a violation of confidential data is considered insignificant compared to the anxieties related to patient safety caused by a cyber attack.

Staynings commented that the healthcare field has been emphasizing the preservation of secrecy over guaranteeing the accuracy and usability of health information and technical systems. The WannaCry ransomware incident showed the significance of availability assaults when it caused disruption in a third of NHS systems throughout the UK, thus putting patient treatment and human life in danger.

Better Basic Security Housekeeping

The healthcare industry should be more mindful of essential security housekeeping, such as replacing expired technology and software and consistently patching IT and IoT systems including medical equipment and PACS platforms – an issue which negatively affected the NHS and could cause substantial difficulty for most American hospitals if they do not apply the updates.

He suggested that it was necessary to separate healthcare networks into protective divisions in order to restrict contagions and protect devices against malicious software and intruders. The healthcare sector desperately needs micro-segmentation and zero-trust approaches in order to restrict user and inter-system access, as well as to prevent any possible security issues from occurring.

Although it may not be feasible to stop all state-sponsored assaults and complex sustained threats, many of today’s episodes are the result of exploit kits rather than new vulnerabilities and can be dodged with a thorough security hygiene routine and timely patch management, according to the speaker.

He stated that it is essential for any security team to utilize these measures of prevention in their defense mechanisms in order to diminish the effects of any assault. Once a system of protection is functioning, it will be easier to anticipate and plan for cyber liability deductibles as well as costs for incident response and employee onboarding.

This arrangement simultaneously allows security incident response to be utilized as a specialized service which can be bought on a contractual basis, freeing up international security personnel to focus on other more beneficial operations.

The security incident response team typically is comprised of the following, Staynings advised:

  • Incident leader who communicates with leadership team.
  • Incident technical lead who communicates/coordinates with technical teams.
  • PR and marketing who manage external communications and the disclosure of information.
  • Legal who coordinate with law enforcement and regulators.
  • Executive leadership who assess impact to operations and ensure a safe effective care delivery environment. CEO to appear on TV to publicly apologize for any breach or service interruption and reassure the public that the incident has been contained and is being cleaned up.

Medical Device Cybersecurity

Julie L. is a participant on the panel for incident response and healing at the HIMSS Healthcare Security Forum. Connolly is the lead cybersecurity engineer employed by the Cyber Solutions Technical Center, at The Mitre Corporation. She is a member of a group associated with MITRE that is providing aid to the United States.

The Food and Drug Administration is striving to create cooperative methods to handle medical device cyber security. She has significant ideas regarding incident response and restoration.

She stated that she puts a great deal of effort and knowledge into medical device cybersecurity incident preparation and response and connecting with the FDA, she was the main author of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.

This text states that a list of industrial relations roles and duties is included. Legal and public affairs/corporate communications should be taken into consideration during incident response, as they can be instrumental in managing any official statements and the information being shared with the public.

Connolly explained that being ill-prepared and not having adequate support from top executives can impede a fast response to various matters related to incident response/cybersecurity.

She noted that having clearly defined systems and processes, which are reviewed frequently through practice, help to make the organization better prepared and also decrease the amount of time needed to respond when a cyberattack happens. Sometimes it requires a violation of privacy, combined with monetary penalties or bad press, to prompt an organization and its executives to take action.

The 6 Phases of a Cybersecurity Incident Response Plan

The SANS Institute divides a Cybersecurity Incident Response Plan into 6 phases:

Phase 1 – Preparation

Developing the structure of the CSIRP establishes the fundamentals of each incident response procedure. The following tasks should be completed in the preparation phase:

1.1 Create Security Policies

Security policies should outline your security hygiene standards. Behavioral boundaries may be set by denying social media usage on company computers and mandating Multi-Factor Authentication for all corporate logins.

It should be made known to all workers that safety protocols involve employing observant security applications such as keyloggers to recognize potential internal problems.

Formulate safety regulations for the entire enterprise, within the risk acceptance criteria and for each department.

When creating security protocols, there may be security problems that were previously unnoticed which could be adversely affecting your security status. As an example, it could be discovered that certain divisions do not use encryption for important information when it is being transferred.

It is important to record any safety risks and possible events so that they can be taken care of in the action plan developed in the subsequent step. All possible security risks and threats from any and all of your external vendors should be identified through risk evaluations and security surveys.

1.2 Create a Response Strategy

Develop plans for how to react to any potential risks identified from security protocols and evaluations of external entities.

In order to make sure your CSIRP is effective, the highest priority of your remediation processes in each response strategy should be to focus on the risk that could have the biggest effect on your security abilities. This is accomplished by matching all dangers to your established danger tolerance, sorting them by seriousness, and then designing a plan for correction depending on this hazard order.

Phase 2 – Identification

During the initial assessment, security teams decide if it is necessary to put an incident response plan into action. A thorough evaluation of error messages, log files, firewalls, and intrusion detection systems was done to determine this choice, with the aim of pinpointing major abnormalities from accepted procedures.

When something suspicious is noticed, the related emergency response staff must be alerted immediately to give enough time for the right actions to be taken. It is essential to have effective communication channels for an effective incident response strategy to be successful.

Make sure your reaction groups have begun to record their counteractive steps in an Incident Handlers Log.

All personnel in your company, not just the security team, should be aware of any risks that may arise. The importance of this requirement should be clearly explained in security regulations, and need to be emphasized during regular security education lessons.

Identification Phase Checklist:

The following checklist will help you address the critical requirements of the Identification phase:

  • Who identified the incident first?
  • Who reported the cyber incident?
  • Which device/network segment did the cyber incident occur in?
  • How was the cyber incident discovered?
  • What is the likely degree of impact?
  • Which critical systems are likely to be impacted?
  • Has the root cause of the incident been identified and located? If so, where, when, and what are they?

Phase 3 – Containment

The main goal of this stage is to separate the cyber incident and stop further harm to adjacent systems. Once containment is achieved, it is necessary to immediately conduct a forensic investigation and provide a detailed report about the discoveries to stakeholders, board members, government agencies, and any cyber insurance company involved.

Do not make any changes to the dangerous situation until the forensics investigation is done, or you could risk not getting compensation through insurance.

Phase 4 – Eradication

Teams on the scene will begin to dispense with the digital menace while separating devices contaminated by the virus during the Isolation phase. This attempt is carried out until it is finished in the Eradication stage.

Eradication efforts could involve:

  • Disabling infected systems to harden the network against ongoing cyberattacks.
  • Scanning infected systems for traces of malware and unpatched vulnerabilities.
  • Ensuring the vulnerabilities that caused the breach are addressed in sanitary backups of compromised systems.
  • Response teams should refer to your defined risk appetite outlined in your risk appetite statement to determine the appropriate degree of security controls necessary to compress residual risks down to acceptable levels. The documentation response team members have been completing up until this phase will support this effort by indicating the potential impact of the cyber incident.

Phase 5 – Recovery

The aim of the restoration phase is to put systems back to how they were before they were hacked. This procedure starts with substituting polluted ecosystems that have experienced the Eradication stage with hygienic backups.

Take into account that the backups likely house the same weaknesses which were used to execute the initial cyber attack, so they need to be tackled with suitable security fixes and repair attempts.

Prior to reattaching restored systems to the web, watch for irregular log activity that may be a sign of an ongoing malware infiltration or a likely Advanced Persistent Threat (APT).

Recovery Phase Checklist:

The following checklist will help you address the critical requirements of the Eradication phase:

  • Have compromised systems been replaced with sanitary backups?
  • Have the vulnerabilities that caused the breach been addressed in restored systems?
  • Have restored systems been monitored for suspicious activity?

Phase 6 – Lessons Learned

At this point, response teams should finish the paperwork they have been putting together throughout the entire response process. Upon completion, this documentation should provide a comprehensive explanation of the entire incident response process, which should be easy for stakeholders not on the incident response team to understand.

Within two weeks of any cyber event, it is crucial for teams and stakeholders to meet up and talk about what happened, how well the event was managed and how the response processes could be improved.

Here’s an example of an evaluation framework for a Lessons Learned meeting:

  • When was the cyber incident first detected?
  • Who detected the cyber incident?
  • Who reported the cyber incident?
  • Who was the cyber incident reported to?
  • How was the cyber incident contained?
  • How were the compromised systems sanitized?
  • What steps were taken to measure the success of eradication efforts?
  • What processes were involved in the recovery phase?
  • What areas were the response teams most effective in?
  • How can response efforts be improved for future similar cyber threats?

Once all team members have agreed to the most efficient response procedure for this cyber incident, the same should be documented into an approach to be followed in similar scenarios in the future, linked back to the preparatory phase.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}