Feds Urge Healthcare Entities to Train for Incident ResponsePlans Should Emphasize Rehearsing Various Hacking, Breach Scenarios
Speedy, practiced response is key to prevent, mitigate and recover from cyberattacks, say federal regulators amid an uptick in ransomware incidents affecting the healthcare industry.
Hacking incidents pose the greatest threat to the privacy and security of patient data, especially given cybercriminals' apparent determination that the sensitivity and urgency surrounding uninterrupted access to patient data makes medical providers valuable targets for extortion.
It has become more important than ever for healthcare sector entities and their vendors to have thorough, documented and well-rehearsed incident response plans at the ready to execute in a timely way, says the Department of Health and Human Services' Office for Civil Rights in guidance issued Tuesday.
Breach response training can also save healthcare entities from further enforcement actions by HHS itself, the office says. If weak incident response played a role in the loss of personal health information, the office issues fines. In July, Oklahoma State University's Center for Health Sciences paid a $875,000 fine to settle an incident involving nearly 280,000 individuals.
The agency's investigation found a variety of potential HIPAA violations, including impermissible uses and disclosures of PHI; failures to implement audit controls, security incident response and reporting; and failure to provide timely breach notification to affected individuals and HHS OCR.
"A well-thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity and availability of a regulated entity's ePHI," HHS OCR says.
A critical component of incident response is testing out the planned response to common scenarios, including ransomware. Entities should also have road-tested plans for responding to data exfiltration by malicious insiders or external bad actors and distributed denial-of-service attacks, HHS OCR says.
Privacy attorney Iliana Peters of the law firm Polsinelli agrees, saying that in her experience, a lack of appropriate response to security incidents results from a lack of experience and practice.
"I often see entities with very good incident response plans in writing, but those entities have never practiced responding to a major cyberattack, like a large ransomware incident," she says.
Other Response Shortcomings
Paige Peterson Sconzo, director of healthcare services at security firm Redacted Inc., says over-reliance on third parties such as internet services providers, email service providers and vendors is another crucial mistake some healthcare entities make in their incident response.
While many entities have outsourced network monitoring, "not every vendor in this space takes actions on alerts that have been found, relying on staff that may not have the expertise to catch the nuances of a sophisticated actor moving inside their network," she says.
"Ensure that you have experts watching 24x7x365 who can investigate activity in real time and can take action on those alerts," she says.
Threat actors are in a network long before they encrypt the network and send a ransom email. "Every effort should be made to catch them early. Make sure you have immutable backups," says Peterson Sconzo
Dave Bailey, vice president for security services at consulting firm Clearwater, says other common weaknesses in incident response include discovering that needed or expected controls are not effective once an attack has occurred. That can include data backups, system recovery, communications, or partner involvement, he says.
"The top pitfall or mistake is not testing your plan enough and not involving all potential decision-makers," he says.