The healthcare industry has long been a favorite target for cybercriminals.
The consequences of attacks go beyond their financial impact. Ponemon Institute research found a direct link between cyberattacks and increased patient mortality. Ransomware attacks, in particular, have led to delayed treatments, extortion attempts against patients and even deaths.
A strong incident response (IR) program is essential to protect healthcare systems and patient services from cyberattacks.
5 Foundations Of A Strong Incident Response Program
No matter how strong your preventative controls are, it’s impossible to prevent all incidents. A computer security incident response team (CSIRT) provides the last line of defense against cyberattacks by quickly identifying, containing and recovering from threats.
An effective CSIRT is built on five foundations.
1. The Mission Statement
This is a clear set of actionable objectives agreed upon by all stakeholders. These objectives inform everything from the program’s funding, staffing levels, priorities and even the tools and techniques used.
2. Formal Documentation Of Roles And Responsibilities
A CSIRT should have clear responsibilities and be empowered to circumvent business-as-usual processes in emergencies. The team needs lines of communication with all stakeholders, including legal, executive management, PR and cyber insurance providers, as well as an internal communications strategy to inform employees and business partners about incidents.
Finally, there must be procedures to communicate with data privacy and cybersecurity regulators to ensure adherence to legal and compliance requirements.
3. Processes For Incident Detection, Management And Containment
The fastest process is one that’s been planned, tested and validated in advance. While you can’t anticipate every scenario, most incidents fall into predictable categories, making them prime candidates for pre-planned responses.
4. Recovery Plan
CSIRTs must be able to recover from an attack and restore normal operations. Most of this work can be planned in advance, allowing teams to quickly verify that affected assets are no longer a threat, bring systems back online and ensure personnel have full access restored. The plan should include details of all communications required.
5. Post-Incident Review
Every IR program should have a thorough post-incident review process to determine how well they were handled, learning points and whether changes are needed to documentation or processes. Post-incident reviews may also conclude that additional preventative controls are needed.
The Challenges Of Healthcare Incident Response
Modern IT environments are highly complex, and organizations in every industry face more cyber threats than ever. However, healthcare CSIRTs face a particular challenge for two reasons.
1. Acute Sensitivity To Operational Disruption
Most healthcare organizations have a low tolerance for disruption because it can cause adverse medical outcomes. This necessitates a serious investment of resources, workforce and preparation to ensure incidents are identified and resolved promptly.
2. Non-Standard Devices
It’s straightforward to “scrape” data from most devices to analyze the root cause of an incident. However, this is typically not possible with Internet of Medical Things (IoMT) devices.
IoMT devices are comparable to PCs from 15-plus years ago when it comes to logging and monitoring. Devices often run outdated or obscure operating systems, and manufacturers don’t allow customers to make changes (e.g., installing agents) without voiding warranties. As a result, healthcare CSIRTs must obtain root cause data from the network.
Four Crucial Ingredients For Effective Healthcare Incident Response
An effective healthcare IR program requires the ability to do four things.
1. Collect Data Instantly And Store It Over Time
Free, open-source tools like WireShark can easily capture a full range of network data. However, continuously capturing all network data is overwhelming. Instead, healthcare CSIRTs must capture data when an incident occurs and correlate events across the network to get a full picture.
Achieving this manually is far too slow to support rapid response. Instead, CSIRTs need technology that monitors the network, detects anomalies and collects relevant data during those time windows.
For example, the technology should:
• Detect when an IoMT device behaves unusually.
• Initiate packet capture.
• Identify related activity across the network.
• Provide a “stitched together” view of all related activity.
The technology must “fire” on more than just known threats. Misconfigurations, unusual behaviors and other anomalies can all indicate something requires investigation.
2. Set Granular Policies On-Event
Time is of the essence. Automation is essential, as human response is too slow.
CSIRTs need technology to automatically apply network policies when triggers occur. For example, when a device begins to behave unusually, technology should be capable of applying policies that prevent it from endangering other areas of the network.
3. Investigate Further
Before a CSIRT can close an incident, it must ensure no symptoms of the threat remain in the environment. This process requires technology that supports thorough forensic analysis of affected assets—either via network traffic for IoMT devices or directly from other devices.
CSIRTs should learn from incidents to set or refine monitoring policies to help prevent or detect future incidents.
4. Benchmark Against Other Organizations And The Wider Industry
Benchmarking against similar organizations is essential for several reasons.
• To ensure the program is performing to an acceptable standard.
• To identify if and where improvements are needed.
• To prove the program is generating ROI.
• To highlight when the program is not sufficiently funded to achieve its objectives.
Prevention Is Better Than A Cure
A properly funded, staffed and equipped IR program is essential.
It must be supplemented with risk-based and evolving preventative security measures—but the ability to quickly detect, resolve and recover from incidents is crucial to protect against threats.
While it’s true investing in such a program can be expensive, the cost is far less than continuously recovering from data breaches and service disruptions.