![](https://hitconsultant.net/wp-content/uploads/2024/04/Jim-Broome_.jpg)
The question is not if but when an organization will experience a security incident. In 2023, the healthcare industry experienced its most challenging year, with more than 124 million health records breached in a total of 725 hacking incidents, according to the HIPAA Journal. This trend should come as no surprise given that hospitals and medical practices are relatively lucrative and easy targets for cyberattacks due to the combination of outsourced services and solutions, legacy systems, and varying degrees of network segmentation.
To make matters even more difficult, management of the administration network and patient care networks are likely managed by different groups, but both contain large volumes of patient information, coupled with interconnected third-party devices and outsourced operational functions – all of which must be retained. secure. The administrative side contains sensitive data such as personally identifiable information, credit card details and medical records, making it an attractive target for hackers looking to facilitate identity theft. In contrast, patient care networks can be hacked through simple methods such as physical access or exploitation of default credentials, especially in legacy environments such as those connected to Oracle databases in production for over several years.
As hospitals meticulously plan for mass casualty events like natural disasters and continuity of services, discussions around IT infrastructure and backup plans often take a back seat. In times of crisis, the priority remains ensuring uninterrupted patient care, with incident response protocols primarily emphasizing the continuity of primary services. Despite the healthcare industry's focus on disaster response and business recovery capabilities, many healthcare organizations have yet to extend the same level of preparedness to their core infrastructure, including operations. computers.
To stay ahead of the curve, healthcare organizations must proactively prepare for potential security incidents, including ransomware and business email compromise attacks, as they regularly lead to data exfiltration and further compromise in a victim environment. This begins with establishing a comprehensive incident response plan, outlining procedures for incident response, system recovery, and ongoing operations to mitigate the impact of security breaches.
1. Understand where your external access weaknesses lie
Insufficient network segmentation, combined with embedded third-party systems, poses significant risks and creates vulnerabilities that can be exploited by malicious actors targeting critical infrastructure. While administrative networks are generally more modernized and a somewhat difficult target, patient care networks, which are often outsourced and less modernized, can be more easily hacked. Accessing these networks can sometimes be as simple as following the manual provided by service companies that service medical equipment or exploit known vulnerabilities. Maintaining an up-to-date inventory of all third-party system vendors, including software and IT service providers, will help define responsibilities and understand contractual obligations.
When drafting your incident response plan, meticulously document communications strategies and ensure you have the right to review assets managed or owned by third parties. In cases where forensic examinations are necessary, clearly outline responsibilities related to your contractual obligations and establish well-defined protocols in your incident response plan. Although some aspects of risk management and incident response may be subject to standardized procedures, healthcare organizations must also adapt their approaches to meet specific needs.
2. Maintain compliance with cyber risk insurance
We have observed a worrying trend whereby cyber incidents are increasingly cited as the final blow leading healthcare providers to shut down their operations, believing that it is more profitable to shut down their operations than to pay fines and penalties. recover from the attack.
When documenting your incident response plan, understand the terms and limitations of your insurance policies to avoid coverage gaps. Malicious actors often target stealing your insurance certificates and policies during the data exfiltration phase of an attack in order to understand your insurance reimbursement limits and limit the bargaining power of the organization you are targeting. they attack. Protecting these policies and detecting unauthorized access to these files is essential as part of your security monitoring if malicious actors enter your network.
3. Plan the role your legal advisor will play
As part of your incident response and communications plans, ensure you have contracts in place with internal and external legal advisors. Your in-house legal counsel should be prepared to consult with the organization's management while the external counsel participates in external communications and any other third-party interaction needs and is responsible for the confidentiality of the information. Documenting IT plans, communications strategies, and reviewing contracts are essential steps, especially given the heavy reliance on third-party services that is prevalent in the healthcare industry.
4. Align incident response plans with available resources and expertise
Now that you've done your prep work, it's time to define how you'll handle the incident itself. We have seen many organizations have excellent documentation of all the different phases of incident response and procedures for handling an event, as well as detailed documentation of these phases, which include detection, analysis , containment, eradication, recovery and root cause/post-incident. Yet they did not have qualified personnel capable of carrying out 95% of the documented plans.
Be honest with your incident response plans and procedures. Define what an incident looks like for your organization, and for all other phases, simply state who you plan to call to help you or to do the work. Be sure to document contact numbers and email addresses for which you have an incident response mandate.
5. Role play with tabletop exercises and review and update your plan annually
Although HIPAA compliance requires an incident management plan and policy, they do not need to be tested. Once all roles and responsibilities have been delegated and your plan is in its final stages, put it to the test. Tabletop exercises are a great way to further prepare your team for a real attack. These simulated real-world cybersecurity and physical security incident scenarios educate leaders and staff about breach detection and test your organization's response and preparedness plan.
Following NIST SP 800-61 standards to perform your tabletop exercises is industry best practice, and proper tabletop exercises last two to three weeks. The application of stress and the need for quick thinking are indicative of real-life scenarios. The more practical these types of responses are, the quicker they can be processed and the quicker a business can return to normal operations. During this time, either a third-party desktop security company or your internal team works with technical staff and management to create intentionally overwhelming security incidents that will allow you to find vulnerabilities in your response plans and to make improvements.
And make sure you get tested every year. As the threat landscape evolves, so does your business. Points of contact may change and responsibilities may change within your organization. Annual testing helps organizations better prepare in the event of a security incident and maintain better business continuity during the incident.
About Jim Broome
Jim Broome is a seasoned IT/IS veteran with over 20 years of information security experience in advisory and operational roles. Jim leads Direct Defensewhere he is responsible for the day-to-day management of the business, as well as providing advice and guidance for its service offerings.