It’s not a matter of if but when an organization will face a security incident. In 2023, the healthcare industry faced its toughest year, with over 124 million health records breached in a total of 725 hacking incidents, according to The HIPAA Journal. This trend shouldn’t come as a surprise given how hospitals and medical offices are relatively lucrative and easy targets for cyberattacks due to the combination of outsourced services and solutions, legacy systems, and varying degrees of network segmentation.
To make matters more challenging, the management of the administration network and the patient care networks are likely managed by different groups, but both hold large volumes of patient information coupled with interconnected third-party devices and outsourced operational functions – all of which must be kept secure. The administration side holds sensitive data such as personally identifiable information, credit card details, and medical records, making it an attractive target for hackers looking to facilitate identity theft. In contrast, patient care networks may be breached through basic methods like physical access or exploiting default credentials, especially in legacy environments like those connected to Oracle databases that have been in production for more than years.
While hospitals meticulously plan for mass casualty events like natural disasters and service continuity, discussions around IT infrastructure and backup plans often take a back seat. In times of crisis, the priority remains on ensuring uninterrupted patient care, with incident response protocols emphasizing the continuation of primary services above all else. Despite the healthcare industry’s focus on business disaster and recovery response capabilities, many healthcare organizations have yet to extend the same level of preparedness to their basic infrastructure, including IT operations.
To stay ahead, healthcare organizations need to proactively prepare for potential security incidents, including ransomware and business email compromise attacks, as they routinely result in data exfiltration and further compromise into a victim environment. This starts with establishing a comprehensive incident response plan, outlining procedures for incident response, system restoration, and ongoing operations to mitigate the impact of security breaches.
1. Understand Where Your External Access Weaknesses Lie
Insufficient network segmentation, coupled with integrated third-party systems, poses significant risks and creates vulnerabilities that can be exploited by malicious actors targeting critical infrastructure. While administrative networks are usually more modernized and present a somewhat challenging target, patient care networks, which are often outsourced and less modernized, can be breached more easily. Accessing these networks can sometimes be as simple as following the manual provided by service companies maintaining medical equipment or exploiting known vulnerabilities. Maintaining an up-to-date inventory of all third-party systems vendors, including software and IT service providers, will aid in outlining responsibilities and understanding contractual obligations.
When drafting your incident response plan, meticulously document communication strategies and ensure you have the right to review third party managed or owned assets. In cases where forensic reviews are necessary, clearly outline responsibilities tied to your contractual obligations and establish well-defined protocols within your incident response plan. While some aspects of risk management and incident response may be standardized procedures, healthcare organizations must also tailor their approaches to meet specific needs.
2. Maintain Compliance with Cyber Risk Insurance
We’ve observed a concerning trend where cyber incidents are increasingly cited as the final blow leading healthcare providers to shut down operations, finding it more cost-effective to close operations than to pay fines and recover from the attack.
When documenting your incident response plan, understand the terms and limits of your insurance policies to avoid gaps in coverage. Threat actors often target stealing your insurance certificates and policies during the data exfiltration phase of an attack to understand your insurance payout limits and limit the negotiating power of the organization they’re attacking. Safeguarding these policies and detecting unauthorized access to such files as part of your security monitoring, is critical should bad actors make their way into your network.
3. Plan for the Role Your Legal Counsel Will Play
As part of your incident response and communications plans, ensure you have contracts in place with both internal and external counsel. Your internal legal counsel should be prepared to consult with the leadership of the organization while external counsel is assisting with external communications and any other third-party interaction needs and is responsible for keeping information confidential. Documenting IT plans, communication strategies, and reviewing contracts are essential steps, particularly given the heavy reliance on third-party services prevalent in the healthcare industry.
4. Align Incident Response Plans with Available Resources and Expertise
Now that you’ve done your preparation work, it’s time to outline how you will handle the actual incident. We’ve seen numerous organizations with great documentation on all the various phases of incident response and procedures for handling an event and detailed documentation on those phases, which include detection, analysis, containment, eradication, recovery, and root-cause/post-incident, yet, they had no skilled staff on hand that could perform 95% of the documented plans.
Be honest with your incident response plans and procedures. Define what an incident looks like for your organization, and for all the other phases simply state who you plan to call to assist or to do the work. Ensure that you document the contact numbers and email addresses for whom you have an Incident Response retainer with.
5. Role Play with Tabletop Exercises and Review and Update Your Plan Annually
While HIPAA compliance requires an incident handling plan and policy, it’s not required for it to be tested. Once all roles and responsibilities have been delegated and your plan is in its final stages, put it to the test. Tabletop exercises are a great way to prepare your team more for a real-life attack. These simulated real-world cyber and physical security incident scenarios educate leadership and staff on breach detection and test your organization’s response and readiness plan.
Following NIST SP 800-61 standards to run your tabletop exercise is industry best practice, and proper tabletop exercises take anywhere from two to three weeks. Applying stress and a need for quick thinking is indicative of real-life scenarios. The more practice in these types of responses, the faster they can be handled and the faster a business can get back to regular operations. During that time, either a third-party security firm specializing in tabletops or your internal teamwork with both technical staff and leadership to create purposely overwhelming security incidents that will allow you to find vulnerabilities in your response plans and make improvements.
And ensure you are testing annually. Just as the threat landscape evolves, so does your business. Points of contact may change, and responsibilities may shift in your organization. Annual testing helps organizations be better prepared in the event of a security incident and maintain better business continuity during the incident.
About Jim Broome
Jim Broome is a seasoned IT/IS veteran with more than 20 years of information security experience in both consultative and operational roles. Jim leads DirectDefense, where he is responsible for the day-to-day management of the company, as well as providing guidance and direction for its service offerings.