3-part blueprint for HPHs to build cyber resilience

Security events such as ransomware, distributed denial of service, supply chain, or third-party attacks can pose significant problems for organizations, no matter the industry or size. However, threat actors target the healthcare and public health (HPH) sector disproportionately, and attacks continue to increase year after year. That is, while the number of attacks might be smaller than other industries, the impact of cyberattacks on HPHs is highest among any industry because each attack can affect patient care and safety.

Adversaries target the HPH sector because of the amount of nonexpiring but lucrative health data, HPHs’ reliance on technology coupled with limited IT resources, and the higher probability that HPHs might pay ransoms. Regulatory scrutiny and fines aside, HPHs that invest in transforming their cyber resilience and ransomware preparedness can limit the impact on patient safety and loss of life.

HPHs can implement a practical approach to maturing their cyber resilience and ransomware preparedness. Following are three proactive actions these organizations can take.

Effective resilience programs start with current and reliable information gathered through department-level business impact analyses (BIAs). When building a new response program, healthcare organizations should ask each department to gather and certify crucial business processes and jobs to be done along with their associated dependencies, such as technology, personnel, facilities, work materials, and supplies.

These processes should then be ranked by criticality and listed with estimates of the maximum tolerable downtime of processes, with recovery time and recovery point objectives noted as they relate to technology. The information gathered in a BIA can help inform the subsequent creation of programs.

Organizations can also add business continuity plans (BCPs) that detail the people, processes, and resources needed to support business operations amid a disaster or major disruption to normal business operations. More specifically, BCPs provide detailed steps various departments must take to continue providing patient care and business processes, often while IT systems are being restored. To make best use of the BCP, departments should document dependencies associated with their other business processes and reliance on specific third-party vendors or materials.

Another component of a holistic incident response program is the disaster recovery plan (DRP), which details the organization’s response steps for IT systems and connectivity during disasters or disruptions. The information gathered through the BIA directs the recovery point objective (RPO) and recovery time objective (RTO) of specific technology in the environment. The RPO and RTO inform IT which systems to bring up in order of criticality and how to design systems to support business objectives.

The additional creation of enterprise data catalogues (EDCs) can help HPHs provide a complete view of where data is used, stored, and managed via internal applications or hosted on third-party solutions. Leaders can use data from the EDC to help provide inputs as part of the DRP for interoperability management and end-user engagement to define key operational reporting needs.

Finally, an incident response plan (IRP) outlines the steps an organization should follow in the event of a material event. IRPs should be developed by teams that can detail a path from incident identification to containment measures, communication protocols, and recovery procedures. The IRP should define specific types of events and the appropriate steps to take, including when and who to engage – including outside parties – during the incident and in recovery.

Communication plans are key parts of a response program and support the overall success of an organization during a material event. During this reporting process, HPHs should clearly define roles and responsibilities, including who can and how to communicate alerts to internal stakeholders, employees, and the media.

Some HPHs lack the resources or funds to support a 24/7/365 security operations center, yet constant surveillance applications can be among the most critical assets to detect anomalous activity. Continuous monitoring systems are designed to enable early detection of suspicious activities or anomalies and harmonize security and event logging from assets within the environment.

Security and information event management and security orchestration, automation, and response technologies – which are slightly different but often used interchangeably – offer the ability to support actions based on events in the environment. When any of these functions is outsourced to a third party, HPHs should clearly define roles and responsibilities between the parties, including how and when to alert organization leaders and what the response expectations are based on type and severity of the incident.

HPHs should have retainers in place to use third-party specialists that focus on incident response and forensic capabilities. Organizations should verify that any third-party cyber response team is aligned with and covered by the HPH’s cyber insurer. Alignment among the three parties can verify protocols are met with the insurance policy and parties don’t inadvertently take steps that could void a claim on the policy.

Plans are only concepts until practiced. To support adequacy, accuracy, and muscle memory, HPHs should execute a variety of training and testing activities and review their capacities and programs. HPHs can also engage third parties to execute mock adversary testing such as stealth penetration testing, attacker engagements, and technical ransomware readiness assessments.

These types of technical assessments can help identify whether technical capabilities and technologies have been appropriately fine-tuned to identify and alert on advanced persistent threats and indicators of compromise. As such, those responsible for detecting these types of activities should not be warned ahead of the assessment. In the same technical capacity, periodic and targeted disaster recovery tests should be executed on technologies, applications, cloud platforms, and network-level devices beyond the electronic health record and revenue cycle & financial solutions. Partial and full tests could uncover inefficiencies with backup and failover technologies and potential process improvements associated with the documented procedures.

In addition to technical assessments, HPHs should execute granular and targeted incident response tabletop exercises. These simulations help organizations practice response and recovery steps in a controlled environment with minimal business disruptions. Tabletop exercises should be conducted across the organization and focus on roles and responsibilities in each department. At least once per year, HPHs should conduct simulations that:

• Involve those identified in the IRP as responsible for technical responses
• Focus on patient care and business operations to test the BCP
• Include executives focused on the organizational response to test the communications plan, engagement with the cyber insurer and third-party cyber team, plans for diverting patients, and decisions about paying ransom

Organizations should document these exercises and create after-action reports to identify gaps and modify response plans.

While the perfect solution to withstand the treacherous threat landscape that plagues the HPH industry doesn’t exist, proper preparation can help HPHs develop a layered approach to quickly respond to material events with as minimal patient care disruptions as possible.