Cyber Resilience Before a Cyberattack
To boost healthcare cybersecurity before an attack, organizations should participate in training such as tabletop exercises, in which they discuss what they would do in an emergency.
“In a tabletop exercise, we want to bring the executive team together in one room and put them around a big table and role-play out an event from end to end,” says Andrew Stone, CTO for the Americas at Pure Storage.
Weiss says that a tabletop exercise consists of a conversational narrative in which participants discuss how they would communicate during a cyberattack, such as writing an email and sending it out to staff.
He recommends that organizations conduct penetration testing to find gaps in security. For example, organizations should test EHRs to avoid platform downtime, Weiss advises. Previously, organizations were focused on compliance with HIPAA privacy laws and not as concerned about healthcare cybersecurity, Weiss says.
Healthcare organizations must also have an incident response plan that incorporates law enforcement and first responders. Prepare these teams for how to maintain continuity if a hospital needs to take in 1,000 patients during an emergency. An incident response plan before an attack involves a robust backup, which can be done in a few hours rather than weeks, Morris says.
“You can get past ransomware if you’re well prepared, because all you’re doing is you’re restoring data,” Morris explains.
Weiss recommends steps such as keeping passwords up to date, setting up multifactor authentication and backing up critical systems. Also test that backups are working, complete and reliable, he adds.
SUGGESTED READING: Lessons learned from a hospital’s closure due to a ransomware attack.
Cyber Resilience During a Cyberattack
When a cyberattack occurs, get law enforcement involved and contact the FBI, Weiss advises.
“They’re going to be looking for evidence of the attack and understanding what the impacts have been and what data may have been stolen as part of that incident as well,” Weiss says.
Work with legal and internal counsel and corporate communications on a strategy to deal with the public when word gets out, he advises.
But try to contact the FBI before the “house is on fire,” Morris says. He notes that his organization has monthly meetings and goes out to educate people on what to do during an attack.
“If you get a ransomware attack, the FBI might already have the decrypter because they’ve seen it already, and they want to know the bitcoin address because it helps them track for international law enforcement,” Morris says.
At Health-ISAC, Weiss observes the information sharing that occurs during a cyberattack. Sharing what is happening is critical for other healthcare organizations to learn from them to prevent the next one, Weiss suggests.
“We certainly see plenty of organizations that are that are willing to share even during an incident,” he says. “I’ve worked with the FBI in the past, and the agency is very receptive to sharing things like that with a trusted, close community.”