Why Healthcare Organizations Desperately Need Incident Response (And The Technology To Support It)

By February 23, 2023 March 26th, 2023 News

The healthcare industry has long been a favorite target for cybercriminals.

Sophos observed a 94% increase in healthcare cyberattacks between 2021-2022, while a 2022 study found healthcare breaches rose by 51% in just three years.

The consequences of attacks go beyond their financial impact. Ponemon Institute research found a direct link between cyberattacks and increased patient mortality. Ransomware attacks, in particular, have led to delayed treatments, extortion attempts against patients and even deaths.

A strong incident response (IR) program is essential to protect healthcare systems and patient services from cyberattacks.

5 Foundations Of A Strong Incident Response Program

No matter how strong your preventative controls are, it’s impossible to prevent all incidents. A computer security incident response team (CSIRT) provides the last line of defense against cyberattacks by quickly identifying, containing and recovering from threats.

An effective CSIRT is built on five foundations.

1. The Mission Statement

This is a clear set of actionable objectives agreed upon by all stakeholders. These objectives inform everything from the program’s funding, staffing levels, priorities and even the tools and techniques used.

2. Formal Documentation Of Roles And Responsibilities

A CSIRT should have clear responsibilities and be empowered to circumvent business-as-usual processes in emergencies. The team needs lines of communication with all stakeholders, including legal, executive management, PR and cyber insurance providers, as well as an internal communications strategy to inform employees and business partners about incidents.

Finally, there must be procedures to communicate with data privacy and cybersecurity regulators to ensure adherence to legal and compliance requirements.

3. Processes For Incident Detection, Management And Containment

The fastest process is one that’s been planned, tested and validated in advance. While you can’t anticipate every scenario, most incidents fall into predictable categories, making them prime candidates for pre-planned responses.

4. Recovery Plan

CSIRTs must be able to recover from an attack and restore normal operations. Most of this work can be planned in advance, allowing teams to quickly verify that affected assets are no longer a threat, bring systems back online and ensure personnel have full access restored. The plan should include details of all communications required.

5. Post-Incident Review

Every IR program should have a thorough post-incident review process to determine how well they were handled, learning points and whether changes are needed to documentation or processes. Post-incident reviews may also conclude that additional preventative controls are needed.

The Challenges Of Healthcare Incident Response

Modern IT environments are highly complex, and organizations in every industry face more cyber threats than ever. However, healthcare CSIRTs face a particular challenge for two reasons.

1. Acute Sensitivity To Operational Disruption

Most healthcare organizations have a low tolerance for disruption because it can cause adverse medical outcomes. This necessitates a serious investment of resources, workforce and preparation to ensure incidents are identified and resolved promptly.

2. Non-Standard Devices

It’s straightforward to “scrape” data from most devices to analyze the root cause of an incident. However, this is typically not possible with Internet of Medical Things (IoMT) devices.

IoMT devices are comparable to PCs from 15-plus years ago when it comes to logging and monitoring. Devices often run outdated or obscure operating systems, and manufacturers don’t allow customers to make changes (e.g., installing agents) without voiding warranties. As a result, healthcare CSIRTs must obtain root cause data from the network.

Four Crucial Ingredients For Effective Healthcare Incident Response

An effective healthcare IR program requires the ability to do four things.

1. Collect Data Instantly And Store It Over Time

Free, open-source tools like WireShark can easily capture a full range of network data. However, continuously capturing all network data is overwhelming. Instead, healthcare CSIRTs must capture data when an incident occurs and correlate events across the network to get a full picture.

Achieving this manually is far too slow to support rapid response. Instead, CSIRTs need technology that monitors the network, detects anomalies and collects relevant data during those time windows.

For example, the technology should:

• Detect when an IoMT device behaves unusually.

• Initiate packet capture.

• Identify related activity across the network.

• Provide a “stitched together” view of all related activity.

The technology must “fire” on more than just known threats. Misconfigurations, unusual behaviors and other anomalies can all indicate something requires investigation.

2. Set Granular Policies On-Event

Time is of the essence. Automation is essential, as human response is too slow.

CSIRTs need technology to automatically apply network policies when triggers occur. For example, when a device begins to behave unusually, technology should be capable of applying policies that prevent it from endangering other areas of the network.

3. Investigate Further

Before a CSIRT can close an incident, it must ensure no symptoms of the threat remain in the environment. This process requires technology that supports thorough forensic analysis of affected assets—either via network traffic for IoMT devices or directly from other devices.

CSIRTs should learn from incidents to set or refine monitoring policies to help prevent or detect future incidents.

4. Benchmark Against Other Organizations And The Wider Industry

Benchmarking against similar organizations is essential for several reasons.

• To ensure the program is performing to an acceptable standard.

• To identify if and where improvements are needed.

• To prove the program is generating ROI.

• To highlight when the program is not sufficiently funded to achieve its objectives.

Prevention Is Better Than A Cure

A properly funded, staffed and equipped IR program is essential.

It must be supplemented with risk-based and evolving preventative security measures—but the ability to quickly detect, resolve and recover from incidents is crucial to protect against threats.

While it’s true investing in such a program can be expensive, the cost is far less than continuously recovering from data breaches and service disruptions.