Healthcare organizations are high-value targets for bad actors due to the nature of the business: the need to provide continuous patient care while protecting patient data. In fact, of the 16 critical infrastructure sectors reporting to the FBI’s Internet Crime Complaint Center, the healthcare and public health sector had the most reports of ransomware attacks in 2023 at 249, according to the agency’s Internet Crime Report 2023.
That’s why it’s important for all healthcare organizations to not only isolate threats but to be able to recover from any damage they cause. Such incident response plans can help organizations recover rapidly from breaches and return to business as usual with minimal impact on patients. Here are some key steps to respond to and recover from a breach.
LEARN MORE: Incident response is essential to your cyber resilience strategy.
1. Contain the Breach
When healthcare IT teams detect a breach, the first and most important thing they must do is isolate the affected systems, taking them offline so they don’t perpetuate the attack. Disable any and all affected accounts and shut down services running code that could be compromised. For systems necessary to providing patient care, such as the electronic health record, organizations should failover to their backup infrastructure and bring affected systems back online only after restoring them, along with any accounts and services, to their preattack states.
2. Assess the Incident
Forensic analysis is crucial to minimizing the risk of breaches happening again. Try to determine where the breach started and what methods were used to gain access to the network. In a recent press release from the Department of Justice related to the indictments of seven hackers, the DOJ noted that hackers sent phishing emails that looked like messages from legitimate news sites. When users clicked on links, the hackers were given enough information to obtain access to the targeted networks.
Use cloud-based BIOS verification services to compare the BIOS of a user’s device to an off-host version to determine whether the device has been compromised.
Click the banner below to learn why cyber resilience is essential to healthcare success.
3. Address Vulnerabilities
A more obvious way to address vulnerabilities in an organization’s infrastructure is to ensure all devices are patched with the latest software and firmware updates. But IT teams also need to address points of entry that might be overlooked, such as printers, connected medical devices and other passive devices. Deploy monitoring programs that can identify out-of-the-ordinary behaviors on devices and services to head off attacks before they can penetrate too far into networks.
4. Create a Notification Response Plan
Notifying the broader IT team quickly about unusual activity is also crucial. Set up automated alerts for when unusual activity is detected to help speed response times, and pair those systems with a well-rehearsed plan that lists step-by-step actions to take, systems to check, devices to take offline, and processes and priorities for restoring affected systems. Investigate all known entry points.
EXPLORE: Effective strategies for healthcare cyber resilience.
5. Update Security Protocols for the Future
Have IT teams delayed deploying security patches because they must first test applications against the updates? Do users need to be updated on what to look for in an environment where phishing has become more sophisticated and more difficult to detect? A thorough audit of a healthcare organization’s security protocols can identify where improvement is needed to prevent future attacks. That audit can be done internally, but it’s worth engaging external cybersecurity experts to identify any vulnerabilities an internal audit may miss.
shapecharge/Getty Images