Sep 30 2021

How to Create an Effective Incident Response Plan for Healthcare

Defending against cybersecurity threats is now a top priority for healthcare organizations. But what steps are necessary to design and implement an effective IR plan?

Healthcare organizations are increasingly under threat from malicious actors. As noted in a report from Bitglass, the total number of U.S. healthcare breaches rose by 55 percent from 2019 to 2020, and this upward trend continues as many organizations opt for fully remote or hybrid work solutions for certain staff.

Robust incident response planning is now critical to help organizations detect and mitigate potential threats as quickly as possible. Given the scope and scale of emerging attacks, however, it’s often challenging for healthcare organizations to identify their ideal IR starting point.

Here’s how a three-phase approach to healthcare IR, including preparation, instrumentation and maintenance, can help.

Click the banner below to dig deeper into incident response with planning guidance from CDW.

When, Not If: The Anatomy of a Healthcare Cybersecurity Attack

Let’s be clear: It’s a matter of when, not if a cybersecurity attack occurs. That’s not a comfortable notion — the idea that despite best efforts, attackers will eventually breach defenses or insiders will expose key data. Comfortable or not, however, this is the reality: As noted by a recent HIPAA Journal report, more than 3 million healthcare records were breached each month between July 2020 and June 2021.

According to Pam Nigro, IT vice president and security officer at Everly Health and ISACA board of directors vice chair, increasing breach numbers have pushed healthcare IR into the spotlight.

“Incident response has always been important, but now it’s getting visibility and attention,” Nigro says. “We’ve been doing incident response for years, but because of what’s happened recently, there’s a bigger spotlight on it. Organizations have started to realize how expensive it is to resolve incidents.”

The sensitive nature of healthcare documents — and evolving regulatory oversight of these assets — is also a driving force for improved incident response. HIPAA violations come with significant costs to both revenue and reputation, making comprehensive incident response plans more important than ever.

READ MORE: Learn the difference between red vs. blue teams and how to run these exercises.

Phase 1 of Incident Response Planning: Preparation

The first phase in creating an agile and effective incident response for healthcare is preparation. By setting the stage for security success up front, organizations can reduce their risk over time. Key steps in this phase include:

  • Securing C-suite buy-in: For any IR plan to work, it requires executive buy-in. This includes both mandates and money. Nigro notes that the increased frequency and visibility of healthcare incidents has helped boost C-suite support. “The board room is getting a little more savvy as things get more visible,” she says.
  • Identifying key assets: Next, firms must identify their most valuable assets. For healthcare, this often includes electronic health records, employees’ personal data and financial data for the organization.
  • Performing security risk assessments: Preparation isn’t complete without risk assessments. These help identify where security controls are working as intended and where gaps exist.
  • Creating a threat model: While attackers are constantly evolving their approach, it’s worth developing a threat model that describes common attack vectors.

Nigro also notes that “cyber insurance companies are getting smarter and won’t pay for the same things they did in the past.” As a result, healthcare organizations must demonstrate security due diligence in line with cyber insurance policies to receive compensation for any incidents.

DISCOVER: Mount Sinai’s Chris Frenz on best practices for zero-trust implementation.

Phase 2 of Incident Response Planning: Instrumentation

Next is instrumentation — the tools and services necessary for healthcare organizations to effectively respond when incidents occur. Common IR instrumentation includes:

  • Next-generation firewalls: NGFWs provide packet-layer inspection of incoming traffic to provide more granular control over security. “This allows you to turn things off right away — you can see if something is in your environment that’s outside your rule structure, then isolate what’s going on and investigate it,” Nigro says.
  • Intrusion detection systems: While truly proactive protection from incident response isn’t realistic, Nigro says, “we need to change the model from reactive to continual monitoring capable of detecting anomalies across the organization.”
  • Identity and access management solutions: “Does everyone need access to data?” asks Nigro. “You need to work on your IAM and do the heavy lifting that comes with getting your permissions right and ensuring minimum necessary access.” Here’s why: If attackers can compromise authenticated user accounts, most security tools won’t identify them as threats, giving them ample time to explore business networks.
  • Behavioral analytics tools: By collecting data on common employee behavior and then applying intelligent analytics, it’s possible to identify potential threats more quickly. “For example,” says Nigro, “let’s say I know my people are working from home between 6 a.m. and 6 p.m. If they’re signing in after hours, is this an exception or a problem?” Behavior analysis lets organizations identify and address these unexpected (and potentially problematic) actions ASAP.
Pam Nigro
We need to change the model from reactive to continual monitoring capable of detecting anomalies across the organization.”

Pam Nigro IT Vice President and Security Officer, Everly Health and Board of Directors Vice Chair, ISACA

While it’s possible to build out IR instrumentation entirely in-house, healthcare organizations are often better served by connecting with reliable third-party providers who have experience in evaluating current security frameworks and recommending key upgrades or additions.

Phase 3 of Incident Response Planning: Maintenance

The final phase of incident response planning for healthcare is maintenance — monitoring and managing security tools across the organization to ensure they’re working as intended.

Although security strategies and solutions offer substantive benefits for healthcare organizations, they’re not “set it and forget it.” To ensure IR plans deliver consistent results, healthcare organizations must regularly test and evaluate their plans against current threats. This could take the form of internal testing by IT teams or the use of third-party penetration testing by security audit providers.

Nigro also highlights the need for robust reporting to track both incident and response. “Legacy products often require the manual work of sitting down with data owners to determine who has access, who needs access and where unauthorized access has occurred,” she says. “Newer IAM tools both digitize and automate this process, allowing healthcare organizations to regularly evaluate their incident response plan.”

MORE FROM HEALTHTECH: How security training can combat the threat of ransomware.

Putting It All Together to Create a Strong Healthcare IR Plan

Comprehensive healthcare incident response plans help organizations prepare for inevitable risk. And while there’s no one-size-fits-all approach for an effective IR plan, adopting the three-phase framework of preparation, instrumentation and maintenance can help firms improve visibility, enhance operations and ensure ongoing compliance.

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT