Mar 15 2021

Hire and Train a Cyber Incident Response Team in Healthcare

If a breach occurs or is suspected, IT and security staff need to know the right channels for action and communication.

Of all the cybersecurity solutions created to prevent bad actors from breaching healthcare organizations, it’s the people on the incident response teams who are most vital.

Dark Reading and Immersive Labs offer a one-hour webinar that provides best practices for managing staffing and training for incident response teams. Security consultant Gal Shpantzer was a featured presenter, together with Max Vetter, chief cyber officer at Immersive Labs, and Tim Wilson, editor-in-chief and co-founder of Dark Reading.

“We need to optimize our defenses based on real-world attacks and threats, and prepare our teams in terms of communications, playbooks and documentation,” Shpantzer said.

Previous Lessons

As an example, Shpantzer pointed to the 2015 and 2016 cyberattacks on the Democratic National Committee. In that incident, the FBI had detected the Russian hackers and even alerted the IT contractor in charge of security at the DNC multiple times. But that’s where a communication breakdown occurred.

A DNC tech support contractor was tipped off by a phone call from an FBI agent that at least one of its computer systems had been hacked. The contractor “did not look too hard” at the problem even after the agent called back repeatedly — “in part because he wasn’t certain the caller was a real FBI agent and not an imposter,” according to The New York Times.

READ MORE: Here's how the VA and the Air Force are testing out 5G in hospital settings. 

With that incident in mind, Shpantzer challenged organizational leaders to ask themselves how they would handle a similar situation.

“What would your staff do if you got an external notification like this? Who would they contact? No amount of technology will help you with this,” he said.

Although that particular attack occurred in 2016, the risks have only increased since then. To build a strong and resilient security operations team, speakers on the webinar recommended the following actions.

3 Tips for Building a Strong Cybersecurity Operations Team

1. Build Clear Communication Strategies

Organizations should establish internal and external communication pathways for sharing information about potential and known breaches. Security teams need to know when to contact top administrators, as well as IT personnel, contractors and employees outside of IT.

MORE FROM HEALTHTECH: Here's how digital and omnichannel platforms modernize patient access.

For external audiences, IT security teams need clear protocols that define when and how to inform external counsel, patients and the public. As an administrative backup, these instructions should be printed on paper and distributed to key stakeholders.

2. Practice Detecting and Responding to Threats

The Center for Internet Security offers free exercises in which teams can practice responding to scenarios such as malware infections and cloud infiltrations. Running through these incident scenarios once a month can help a security team stay updated on new threats. It can also show an organization where communication and response gaps may exist.

“Study those situations, work with people and develop workstreams to build a response,” Shpantzer said. “Who knows how to detect the threat? Who knows who to call? Who makes the business decisions?”

3. Develop and Provide Resources for Your Team

MITRE, a nonprofit organization that operates federally funded R&D centers on behalf of state, local and federal governments, recommends a review to ensure you have the optimal number of analysts needed to meet your organization’s security operations center demands. It also emphasizes that opportunities and training are key for efficient and resilient teams.

DIVE DEEPER: Here's how new technologies create opportunity for healthcare providers.

For example, use creative analysts to write code that can automate security activities. Those are the staff members you want to hire and keep.

“The whole idea of a CV and a skill set is not what we’re looking for anymore,” said Vetter. “It’s attributes like perseverance.”

SolStock/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.