Fighting Cyber Fires: Cybersecurity Incident Response Checklist for Hospitals
Published On June 13, 2022
Cybersecurity incidents have become a daily occurrence for many healthcare entities and reportable breaches are rising exponentially. To illustrate this point, Meditology’s sister company, CORL Technologies, produces a recurring blog series that summarizes healthcare supply chain breaches and also trends the escalation of cyber breaches in healthcare via the CORL Vendor Breach Digest.
Much like volunteer firefighters, healthcare entities must invest in developing, testing, and updating emergency response plans and procedures to maintain a constant state of readiness for these inevitable attacks.
The good news is that the public and private sectors have been releasing industry guidance and tools at an unprecedented pace to support incident response programs for healthcare entities. There is no need for healthcare CISOs to reinvent the wheel with these standards and best practices that are applicable to all cybersecurity programs.
HSCC Cybersecurity Incident Response Checklist
The Healthcare and Public Health Sector Coordinating Council (HSCC) recently released a new checklist around cyber incident management that is designed specifically for healthcare providers and healthcare delivery organizations.
The HSCC is a coalition of private sector critical healthcare infrastructure entities organized under the National Infrastructure Protection Plan to partner with and advise the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector's ability to deliver services and assets to the public. Healthcare organizations that participated in the development of the new checklist include the following entities:
- St. Luke’s Health System
- Duke University Health System
- Ishca Health
- The University of Vermont Health Network
- Coastal Bend Regional Advisory Council
- Intermountain Healthcare
- Indiana University Health
- Kaiser Permanente
The new checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyberattack.
The checklist outlines recommended initial actions and considerations during the first 12 hours of the cyberattack or incident. This is a critical window of time where quick action and preparation can go a long way toward limiting the scale and impact of the event.
Training the Firefighters
A common approach in cyber incident response planning exercises is to define incident response roles and responsibilities for various individuals and teams. The idea is similar to volunteer fire fighting wherein regular folks can be trained in specific skills and roles that can be put into practice during emergency situations. Firefighters train often and know their specific roles that can be deployed at a moment’s notice.
In that same spirit, the HSCC cybersecurity incident response checklist breaks down actions that should be taken in a cyber emergency according to pre-defined roles for various members of the workforce.
The following roles have been defined in the new incident response checklist and are specific to healthcare delivery organizations:
- Incident Commander - provides overall strategic direction on all site-specific response actions and activities
- Medical-Technical Specialist (Subject Matter Expert/Advisor) - subject matter expert(s) who advises the Incident Commander or Section Chief on issues related to response; provides understanding and communicates specific impact and recommendations given their area of expertise
- Public Information Officer - serves as the conduit for information to internal and external stakeholders, including site personnel, visitors and families, and the news media, as approved by Cybersecurity, IS/IT Section Chief, and the Incident Commander
- Liaison - functions as the incident contact for the Command Center for representatives from other agencies
- Safety Officer - identifies, monitors, and mitigates safety risks to patients, staff, and visitors during a prolonged large-scale outage
- Operations Section Chief - develops and recommends strategies and tactics to continue clinical and non-clinical operations for the duration of the incident response and for recovery
- Planning Section Chief - oversees all incident-related documentation regarding incident operations and resource management; initiates long-range planning; conducts planning meetings; prepares the Incident Action Plan (IAP) for each operational period
- Finance Section Chief - monitors the utilization of financial assets and the accounting for financial expenditures
- Logistics Section Chief - organizes and directs the service and support activities needed to ensure material needs for the site’s response to an incident are available when needed
- Intelligence (IS/IT) Section Chief - provides technical response, continuity, and recovery recommendations; partners with cybersecurity to inform incident response decisions and activities; coordinates intelligence and investigation efforts
Call to Action for Healthcare Entities
The release of new industry guidance like the HSCC checklist should be reviewed and evaluated against your existing incident response plans and procedures. Incident response plans should be updated to incorporate the roles defined above if there are any areas that may be missing from your existing plan.
Specifically, the recommendations for roles that are healthcare-specific like the medical-technical specialist and the clinical operations section chief are critical to supporting patient safety and treatment during cyber emergencies.
Once the incident response plans and procedures have been updated, it is imperative that healthcare organizations routinely test and make iterative improvements to the planning and practices for cyber incidents. Training and preparedness should begin to resemble the training and preparation on firefighters such that training becomes second nature to the organization and workforce members.
More Resources on Healthcare Cybersecurity Incident Response
Healthcare organizations can leverage the following resources to learn more about healthcare cybersecurity incident response:
- Infographic: The Secret Sauce for Cybersecurity Incident Response
- Podcast: In the Eye of the Hurricane: Business Continuity and Emergency Preparedness
- Podcast: People Get Ready, Cyber Incidents are Coming
- Blog Post: The Show Must Go On | Maintaining Continuity for InfoSec in a Crisis
- Blog Post: Shields Up: Cyberwar Preparation and Response for Healthcare
- Webinar: Seek and Destroy: Ransomware and Destructive Malware in Cyberwar
Contact us to learn more about how we can help your organization become better cyber firefighters to limit the damage and impact from inevitable cyber-attacks.
What Our Clients Are Saying
“The Incident Response Tabletop Exercise engagement process was great. Communication, logistics, deliverables – everything was of the highest quality. We use hundreds of vendors; I made the case to bring in Meditology and the output of this was exceptional." - Senior Manager, Information Assurance, Award-Winning Academic Medical Center
“We don’t have this skill set in-house. When you are constantly honing your skills, the more you do it the better you get at it. We wouldn’t be able to do that. There is an extreme value to using Meditology – people dedicated to this rather than an ancillary duty. They are incredibly adept at the tools, adept at what they do.” – SVP & Chief Information Officer, Health Information Exchange Organization
“Our engagement with Meditology is a 5 out of 5 rating. We have a Meditology Partner that was involved in the presentation to our Board, which went so well it’s going to become a regular occurrence. We even got 30 minutes with the Board which is unheard of and they were very pleased with the improvements.” - Sr. Director of IS Business Operations, Premier Pediatric Health System