When, Not If: The Anatomy of a Healthcare Cybersecurity Attack
Let’s be clear: It’s a matter of when, not if a cybersecurity attack occurs. That’s not a comfortable notion — the idea that despite best efforts, attackers will eventually breach defenses or insiders will expose key data. Comfortable or not, however, this is the reality: As noted by a recent HIPAA Journal report, more than 3 million healthcare records were breached each month between July 2020 and June 2021.
According to Pam Nigro, IT vice president and security officer at Everly Health and ISACA board of directors vice chair, increasing breach numbers have pushed healthcare IR into the spotlight.
“Incident response has always been important, but now it’s getting visibility and attention,” Nigro says. “We’ve been doing incident response for years, but because of what’s happened recently, there’s a bigger spotlight on it. Organizations have started to realize how expensive it is to resolve incidents.”
The sensitive nature of healthcare documents — and evolving regulatory oversight of these assets — is also a driving force for improved incident response. HIPAA violations come with significant costs to both revenue and reputation, making comprehensive incident response plans more important than ever.
READ MORE: Learn the difference between red vs. blue teams and how to run these exercises.
Phase 1 of Incident Response Planning: Preparation
The first phase in creating an agile and effective incident response for healthcare is preparation. By setting the stage for security success up front, organizations can reduce their risk over time. Key steps in this phase include:
- Securing C-suite buy-in: For any IR plan to work, it requires executive buy-in. This includes both mandates and money. Nigro notes that the increased frequency and visibility of healthcare incidents has helped boost C-suite support. “The board room is getting a little more savvy as things get more visible,” she says.
- Identifying key assets: Next, firms must identify their most valuable assets. For healthcare, this often includes electronic health records, employees’ personal data and financial data for the organization.
- Performing security risk assessments: Preparation isn’t complete without risk assessments. These help identify where security controls are working as intended and where gaps exist.
- Creating a threat model: While attackers are constantly evolving their approach, it’s worth developing a threat model that describes common attack vectors.
Nigro also notes that “cyber insurance companies are getting smarter and won’t pay for the same things they did in the past.” As a result, healthcare organizations must demonstrate security due diligence in line with cyber insurance policies to receive compensation for any incidents.
DISCOVER: Mount Sinai’s Chris Frenz on best practices for zero-trust implementation.
Phase 2 of Incident Response Planning: Instrumentation
Next is instrumentation — the tools and services necessary for healthcare organizations to effectively respond when incidents occur. Common IR instrumentation includes:
- Next-generation firewalls: NGFWs provide packet-layer inspection of incoming traffic to provide more granular control over security. “This allows you to turn things off right away — you can see if something is in your environment that’s outside your rule structure, then isolate what’s going on and investigate it,” Nigro says.
- Intrusion detection systems: While truly proactive protection from incident response isn’t realistic, Nigro says, “we need to change the model from reactive to continual monitoring capable of detecting anomalies across the organization.”
- Identity and access management solutions: “Does everyone need access to data?” asks Nigro. “You need to work on your IAM and do the heavy lifting that comes with getting your permissions right and ensuring minimum necessary access.” Here’s why: If attackers can compromise authenticated user accounts, most security tools won’t identify them as threats, giving them ample time to explore business networks.
- Behavioral analytics tools: By collecting data on common employee behavior and then applying intelligent analytics, it’s possible to identify potential threats more quickly. “For example,” says Nigro, “let’s say I know my people are working from home between 6 a.m. and 6 p.m. If they’re signing in after hours, is this an exception or a problem?” Behavior analysis lets organizations identify and address these unexpected (and potentially problematic) actions ASAP.