5 tips for managing and responding to security incidents in healthcare
Security and privacy incidents are a growing threat to businesses and individuals alike as hackers use increasingly sophisticated methodologies to spread malware and carry out cyberattacks. According to the third annual study on cyber resilient organizations by IBM Security and the Ponemon Institute, 61% of healthcare respondents in the past two years have experienced a cybersecurity incident that resulted in significant disruption to their organization’s IT or business processes.1 At the same time, a majority—77%—admitted they do not have a formal cybersecurity incident response plan (CSIRP) applied consistently across their organization.2
In healthcare, security and privacy are two very distinct and critical processes to manage. One can have a great security plan and still lack the necessary factors to ensure privacy. With privacy risks on the rise, healthcare organizations must be prepared to respond and act against the inevitable. I have the privilege of consulting with Chris Bowen, ClearDATA’s Chief Privacy and Security Officer, whom I consider an expert in this field. He helped educate me that incident response teams and plans can tremendously help organizations be prepared with strategies to respond to privacy and security threats, including:
- Start with the data.
In order to build out a proper incident response plan, understanding the type of data the organization wants to protect and where it’s stored is an important first step. This will help build defense perimeters, not only around the required data, but the storage platform. If data is stored in a public cloud like Amazon Web Services, Microsoft Azure, or Google Cloud Platform, work with experts who have knowledge about the specific architecture and know how to recognize, mitigate and stop a threat in the specific environment before it becomes a larger problem—ultimately saving a great deal of time and resources. The key here is to go deeper than where the data is stored, but also into the dataflows and application dependencies. - Assemble an all-star incident response team.
Not all events or incidents result in a breach; however, all events do need to be managed. In many organizations, privacy and security have been considered separate functions, with the IT group responsible for information security and the compliance or legal counsel responsible for privacy. In reality, both are needed to fully investigate incidents, determine their causes, and safeguard against future events. When teams who are identifying and analyzing incidents operate in silos, important information can be overlooked or fail to be shared with the right people.
Additionally, the customer should always be considered part of the incident response team. Getting in touch with the impacted healthcare organization early on can help with the investigation and shed light on things taking place on-site that others may not be aware of. In order to have the most effective response time, key members of each of these groups need to be in constant communication. - Consider a data breach a legal matter.
HIPAA regulations require that a healthcare organization be notified of a data breach within a certain period of time. IT teams and healthcare organizations often rush to concluding an incident is a data breach, based on perception. However, a legal counsel or compliance officer ultimately determines this. They are the ones making the declaration so as to not cause unnecessary confusion and chaos. In the world of IT, you are likely investigating a security incident and are never declaring a breach. - Practice, practice, practice.
There are so many ways an incident can play out, it’s almost impossible to prepare for them all. One of the best ways to practice is to run tabletop simulations, getting everyone across the organization together. The more simulated events your team undergoes, the better they will be able to respond to the real deal. Organizations can start small, and build up to larger, more complex simulated events that are relevant to your business. If you specialize in medical devices, simulate a scenario in which a device is compromised and the patient cannot receive care as a result of ransomware. The best defense is a well-rehearsed incident response plan that has ingrained all stakeholders in their roles and responsibilities. You’d be surprised how often the backstage responsibilities, like public relations and client communication, are forgotten. - Security and development teams need to work together.
Too often, we sense tension between security teams and developers. It’s important to ensure both groups share the same purpose to innovate in a way that secures and privatizes data and workflows. Nowadays, most infrastructure is deployed and maintained with code, and having the team who developed the infrastructure is essential to flesh out the best incident response plan.
As healthcare organizations adopt transformative technologies, it’s critical to consider how new processes and technology relate back to privacy and security. In a world of increasing threats, incident response—not prevention—will determine an organization’s success.
References:
- Ponemon Institute sponsored by IBM Resilient, The Third Annual Study on the Cyber Resilient Organization, on the internet at https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2018_Cyber_Resilient_Organization_Study.pdf (March 2018)
- Id.