Mar 22 2021

5 Ways to Update Your Healthcare Incident Response Plan

Cybersecurity response plans often become outdated, which can hamper the effectiveness of your team’s response.

Quick, find a copy of your healthcare organization’s cybersecurity incident response plan. Pull that binder off the shelf or call up an electronic copy. OK, now that you have it, let me ask you a few questions.

How long did it take you to find it? Did you have to dust off the physical binder? When was the digital copy last accessed? And, most important, if you were about to launch into an incident response effort right now, how confident would you be with that plan by your side?

If that quick exercise left you with an uneasy feeling in the pit of your stomach, you’re not alone. Many organizations have outdated incident response plans that haven’t been opened in months or years.

Now would be a great time to revisit your plan and make sure it’s ready to meet your needs based on your current operating environment and the modern threat landscape.

Plan Ahead to Prevent Chaos During Emergencies

Incident response plans are often first created to “check a box.” It’s not unusual for organizations to rush to quickly document their plan right before an audit or another type of review.

Whatever the impetus, technology leaders often pull together the first version of an incident response plan in a hurry to meet a deadline and then put it back on the shelf to gather physical or virtual dust.

READ MORE: What to know about hiring and training a cyber incident response team in healthcare.

That approach doesn’t do anyone any good. It might fulfill the immediate requirement, but the plan certainly isn’t a useful tool to help guide cybersecurity incident response efforts.

A well-designed incident response plan serves a much more important purpose. Such plans, when crafted properly, bring the calm, collected environment of the planning room into the chaos of a security incident. Let’s talk about five things that you can look for as you seek to revitalize your organization’s incident response plan.

1. Identify Your Critical Systems and Information

One of the most important components of an incident response plan is a list of the systems and information critical to business operations. This asset list serves as an important tool to prioritize incident response efforts, strengthening protections around those systems and restoring them first in the event of a service disruption.

Operational circumstances change over time, and it’s unreasonable to assume that the critical asset inventory that you developed when you first wrote your response plan is still valid today.

As you update your incident response plan, take the time to validate this list and determine whether your current environment, related to both patient care and business operations, warrants adding or removing items from the inventory.

2. Update Responses to Specific Threats

External changes also influence the effectiveness of your incident response plan. Just as your operations evolve over time, so does the threat landscape.

Researchers discover new vulnerabilities, attackers develop new tactics, and security controls mitigate risks in different ways. As you review your incident response plan, think about how changes in the external threat environment might impact your plan. What types of incidents are occurring at other healthcare organizations? Would your plan cover those incidents well?

MORE FROM HEALTHTECH: How is the chief experience officer role evolving?

For example, ransomware attacks have increased dramatically over the past year. While you might treat this threat as similar to other malware threats from a prevention standpoint, ransomware raises new questions from an incident response perspective.

Specifically, if you suffer a crippling ransomware attack, will you consider paying the ransom? If so, under what circumstances? Your incident response plan is an opportunity to guide those future decisions.

3. Consider Having an Incident Response Retainer

Responding to a security incident requires skill and expertise in the discipline of incident response as well as specific technical domains impacted by the incident.

A 2019 IBM survey reported that 77 percent of organizations don’t have a consistent enterprisewide cybersecurity plan. Even those with a plan in place may benefit from leaning on outside expertise in the event of an incident.

It’s difficult to bring an IR consultant into an active response effort if you don’t already have a relationship. Consider entering into a retainer agreement with an incident response firm. This allows you to establish technical and management contacts to facilitate the rapid deployment of expertise should it become necessary during an incident.


of organizations don’t have a consistent enterprisewide cybersecurity plan.

Source: 2019 IBM survey

4. Maintain an Updated Incident Response Contact List

Incident response efforts involve contacting a lot of people. You’ll need to activate your internal escalation procedures to call in team members and notify senior administrators, and you may need to contact vendors specializing in incident response or one of your critical applications.

Depending upon the nature of your organization and the incident, you may also need to notify a specialized incident response center or call in law enforcement to assist with a criminal investigation.

LEARN MORE: Here's how online resources help healthcare systems move to Microsoft Teams.

When you update your incident response plan, it’s also an excellent opportunity to revisit your contact list and make sure that you update contact information for each of your critical vendors. The last thing you want to discover during an incident is that a key contact left their position and you need to bring a new representative up to speed during a crisis.

5. Update Your Response Plans Based on Lessons Learned

There’s an adage among military tacticians: “No plan survives first contact with the enemy.” That sentiment certainly holds true when it comes to cybersecurity incident response.

No matter how robust plans seem when they are first designed, surprises are inevitable, and IT security leaders will encounter situations where the existing plan doesn’t seem like the best course of action. That’s when incident response teams must exercise their professional judgement.

Each time your team conducts an incident response, take some time in the days that follow the incident to walk through the response effort and identify places where you were forced to deviate from your plan.

Were those events shortcomings in the plan or one-off abnormalities? Does it make sense to modify the plan based on your recent experience? This iterative process will make the plan stronger each time you execute it.

Incident response plans play a vital role in helping organizations through the chaos and confusion of a security breach. Small, periodic investments of time in plan maintenance will ensure that a plan is battle-ready when the unexpected strikes.

Sturti/Getty Images

aaa 1