We are trained from a young age to know what to do if our house is on fire. Simple educational messaging, reinforced over time, conditions a universal response that can save lives.
But when it comes to a healthcare cybersecurity event, reactive measures too often remain an afterthought or are not properly documented. These oversights put everyone at risk by causing confusion that can delay critical action when seconds count.
DOWNLOAD THE WHITE PAPER: Learn about incident response services and solutions.
I’m reminded of a hospital that recently faced a minor ransomware attack. Fortunately, IT staffers were able to spot the intrusion, but the absence of a clear procedure prevented a timely response, which allowed the attack to affect half of the organization’s network.
The lapses are understandable — or, at least, they used to be. Cybersecurity teams have long focused on preventive measures, but they must now anticipate a breach of some kind due to the growing sophistication of threat actors and operating environments.
Simply put, we must train ourselves to smell smoke and safely evacuate.
To be ready, healthcare organizations should develop a robust incident response plan. Here are several reasons why this critical step matters:
1. Your Team Will Be Authorized (and Ready) to React
Without a proper documentation policy to guide your response, people might panic — just as they would in an actual fire. This is why all organizations hold fire drills. If you haven’t done tabletop exercises or refreshed training for health IT teams that handle cybersecurity incident response, their response will be as effective as throwing water on a grease fire. Thoroughly document and communicate your plan with all key stakeholders.
2. You’ll Be Following Proven, Universal Protocol
Basing your incident response plan on the MITRE ATT&CK framework, a knowledge base of adversary tactics and techniques created from real-world observations, is critical. And the plan must anticipate a range of scenarios: Does it account for an outsider in your network? What about ransomware or a distributed denial of service attack? Customized protocols can inform the essential steps organizations must take to remain operational after a given event.
3. You Could Prevent Small Incidents from Snowballing
A plan is worthless without constant vigilance and swift action. Start by knowing where your protected health information lives and what systems are most vulnerable. The first inkling that something’s amiss should compel you to pull logs and review them for anomalies. Having provisions throughout your network to look for certain behaviors, such as downloading or uploading large amounts of information, is also vital.
4. You May Choose to Leverage the Advice of Experts
Patients get the bulk of the attention in healthcare; IT departments tend to be bootstrapped. I don’t think it’s a good idea, therefore, to create your own incident response plan — you could miss a critical component. Consider bringing in a third party to help. An effective MITRE ATT&CK plan, for instance, has 13 steps. A trusted partner can ensure you don’t overlook any detail that could unknowingly thwart a breach remediation effort.
READ MORE: What happens to stolen healthcare data?
5. Your Plan Can Evolve to Address New Tools and Threats
We’re conditioned to change the batteries in our smoke alarms to ensure our safety each year; revising an incident response plan should follow the same cadence. With new devices and infrastructure rapidly changing healthcare delivery — as well as a growing wave of cyberthreats during the pandemic — it’s critical to revise and reshare your plan with IT teams so everyone is positioned to effectively squelch a flame.
This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.