When it comes to building cybersecurity protections around a healthcare provider organization’s network and systems, there is no such thing as a foolproof defense. Often it is not a question of if but when a cybercriminal will break in.

As a result, it is critical that every provider organization, big or small, have an incident response and recovery plan created and tested. That way, if a security breach does happen, the organization will be prepared to minimize damage and respond to the community.

At the HIMSS Healthcare Security Forum in Boston next month, a panel of experts will be addressing this subject in a session entitled “Incident Response & Recovery,” December 9, 2019, 1:45 p.m. to 2:25 p.m. at the Westin Copley Place hotel in the Essex Ballroom.

Here, two of the panel members, experts in healthcare cybersecurity, discuss pressing issues surrounding incident response and recovery in a preview of their discussion December 9.

An almost inevitable problem

A cyberattack unfortunately almost is inevitable in today’s environment of rogue nation-states and organized crime syndicates operating from parts of the world that lack effective law enforcement or international extradition treaties, said Richard Staynings, chief security strategist at Cylera, a healthcare cybersecurity AI-driven technology vendor. He has served on the International HIMSS Privacy and Cybersecurity Committee, where he has assisted hundreds of health systems globally in their cybersecurity risk management transformation efforts.

“Other than the rendition of the very worst offenders, or meaningful consequences for rogue governments engaged in international criminal activity, there is very little to dissuade perpetrators from continuing their attacks,” he explained. “All evidence indicates that attacks are increasing in frequency, intensity and damage at the current time.”

"Since likelihood is almost certain now, the trick is to minimize the effect of any attack by isolation and containment to prevent any successful attacks from having a significant impact."

Richard Staynings, Cylera

Given the inevitability of an attack, healthcare provider organizations and governments need to plan for response and recovery, areas that healthcare in particular has been historically bad at, Staynings said.

“This is mainly because of resource constraints and an almost myopic focus on compliance and preventing attacks in the first place – something that can no longer be accomplished with any degree of certainly given a rise in the use of advanced persistent threats and extremely well-funded adversaries,” he explained.

Budget and risk constraints

While health systems could easily spend millions of dollars in cybersecurity protection – larger ones probably should – in reality all healthcare organizations must live within budgets and the level of risk that boards and CEOs are happy to accept, he added.

“It’s a simple risk equation of likelihood and impact that changes almost daily as threats change,” he said. “Since likelihood is almost certain now, the trick is to minimize the effect of any attack by isolation and containment to prevent any successful attacks from having a significant impact. The aim being to contain a breach to a very small data set, and to minimize the number of systems affected by an attack in order to minimize interruption of services to patients.”

Partly as a result of regulation, healthcare has attempted to prevent unauthorized access to PHI and PII. But from a risk perspective, a breach of non-public information is pretty minor compared to patient safety concerns brought about by cyberattack.

“As an industry we have focused on protecting confidentiality, rather than the integrity and availability of health data and IT systems,” Staynings remarked. “The WannaCry ransomware attack that shut down a third of the UK National Health Service showed us that availability attacks can have a major impact on patient care and mortality.”

Better basic security housekeeping

The healthcare industry needs to do a better job of basic security housekeeping like replacing end-of-life hardware and software and regular patching of IT and IoT systems like medical devices and PACS stations – something that caused a major issue for the NHS and will for most US hospitals if they remain unpatched, he added.

“At the same time, we need to break up our flat healthcare networks into security enclaves to limit outbreaks and prevent the lateral spread of malware or free passage for attackers,” he advised. “Micro-segmentation and zero-trust is badly needed across healthcare to control user and inter-system access, and to stop potential security incidents in their tracks.”

While it may not be possible to prevent all advanced persistent threats and well-funded nation-state attacks, many of today’s attacks are based on exploit kits not Zero-Days and are thus avoidable with good security housekeeping and timely, comprehensive patching, he noted.

“These are standard preventative controls that any security team should be insisting upon anyway and will greatly help to minimize the impact of any attack,” he said. “Once in place, a layered prevention model will help to lower cyber liability deductibles and make IR costs and staffing more predictable. At the same time, it makes security incident response more suitable for consumption as a commodity service from an expert service provider on a simple commercial retainer basis, thus freeing up security headcount for higher value tasks.”

The security incident response team typically is comprised of the following, Staynings advised:

• Incident leader who communicates with leadership team.
• Incident technical lead who communicates/coordinates with technical teams.
• PR and marketing who manage external communications and the disclosure of information.
• Legal who coordinate with law enforcement and regulators.
• Executive leadership who assess impact to operations and ensure a safe effective care delivery environment. CEO to appear on TV to publicly apologize for any breach or service interruption and reassure the public that the incident has been contained and is being cleaned up.

Medical device cybersecurity

Another HIMSS Healthcare Security Forum incident response and recovery panelist is Julie L. Connolly, principal cybersecurity engineer, cyber solutions technical center, at The Mitre Corporation. She is part of a MITRE team supporting the U.S. Food and Drug Administration effort to develop collaborative approaches to manage medical device cybersecurity. She has important thoughts on the subject of incident response and recovery.

“Medical device cybersecurity incident preparedness and response is an area of particular interest and expertise; I was the lead author of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook published on behalf of the FDA,” she noted. “In there are listed a number of the IR roles and responsibilities. Legal and public affairs/corporate communications are potentially key members of incident response, as they may need to weigh in to control messaging and the information that may be released publicly.”

"Defined processes and procedures – among other things – that are vetted during regular exercises improve the readiness and turnaround time for an organization, should a cyberincident arise."

Julie L. Connolly, The Mitre Corporation

A lack of preparation and a lack of senior leadership commitment to incident response/cybersecurity and its potential impact slow response, Connolly said.

“Defined processes and procedures – among other things – that are vetted during regular exercises improve the readiness and turnaround time for an organization, should a cyberincident arise,” she added. “Sometimes, it takes a privacy breach, with fine and/or negative publicity, to motivate an organization and its leadership to action.”

Security operations centers

Regarding what an ideal security operations center (SOC) looks like, these may take all forms, and not every healthcare provider organization may have an SOC, particularly if it is just starting up and/or relying on a Managed Security Services Provider (MSSP) for cyber incident handling, in which case the MSSP usually has its own SOC, she explained.

“One thing that is important when building out an SOC capability is determining what kind of coverage you want – are you having cyber monitoring 40 hours a week or 24/7, for instance,” she said. “SOC investment should be consistent with the organization’s goals for its SOC, such as coverage hours and desire for a demonstration facility.”

SOCs range from a virtual SOC of analysts working remotely – but often living in different time zones to get better coverage – to a small group of analysts who convene in one ‘command center’ as needed or only during an incident to a heavily invested ‘SOC showpiece’ that may contain rows of analysts at workstations facing a number of large screens with conferencing capabilities and adjoining conference rooms for smaller, focused meetings.

“SOCs come into play during an incident by bringing all the people with the investigation, communication, and decision-making responsibilities together to enable the tempo of resolution to move at a faster speed than might otherwise occur,” Connolly explained. “Having well-tested, well-understood IR roles, processes and procedures again contributes to a more effective response, regardless of the center’s physical characteristics.”

Working around 9-to-5 security operations centers

Staynings also has thoughts on how a great security operations center should run. Good security operations, solid threat intelligence and a 24/7 security operations center are key areas that all but the largest of healthcare providers currently lack, he said.

“Many have 9-to-5 SOCs,” he noted. “Unfortunately, perpetrators know this and so time their attacks to commence at 6 p.m. on a Friday night, safe in the knowledge that they have till 8 a.m. Monday morning to be in and out safely. Managed Detection and Response (MDR) services are a good choice for many healthcare entities either as a secondary/fallback/expert service to supplement on-site 9-to-5 operations staffing, or to replace most local security operations capability entirely with experts working on a leveraged cost model across multiple customers of the MDR, thus freeing up valuable headcount for other security tasks.”

The best SOCs have a multi-layered team of analysts and investigators supported by true experts in software engineering who can reverse engineer malware, attribute attackers and identify targeted attacks versus simple broadcast ones, he added. In healthcare, he said, an SOC often is a joint effort with IT operations with additional staff co-opted or drawn from:

• Endpoint/desktop.
• Network.
• Server administration.
• Applications.
• Service delivery, virtualization.

“But well-trained and skilled SOC staff are just part of the overall defense,” Staynings noted. “Technologies that correlate and aggregate logs of critical systems like SIEMS and their next generation replacements, and a myriad of other increasingly AI-based tools used to look for anomalous user or system activities and identify potential indicators of compromise using NetFlow, next generation IDPS, advanced DNS and other security infrastructure tools.”

Combined SOC tools and their staff are responsible for monitoring the infrastructure, blocking attacks, and alerting others in the defense of the organization from potential cyberattack. In the event that an attack is successful, he concluded, the SOC team works closely with the Security Incident Response Team (CIRT) and attempts to provide a 360-degree view of any incident with respect to business operations impact and incident triage.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Healthcare IT News is a HIMSS Media publication.

 Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.