You could say that an incident response plan (IRP) is the equivalent of Einstein’s 55 minutes and the actual incident response is Einstein’s 5 minutes.

“Most people have no idea just how fast a cyberattack takes down a network and how much damage it can do,” says Sensato CEO John Gomez. 

So, ask any cybersecurity expert to share their best practices for IT security, and development of an incident response plan will be at the top of that list.

Yet, a recent survey of healthcare and life science leaders by KPMG revealed that more than half (51 percent) of them either didn’t believe that their organization had an incident response plan, or they were not aware of their organization’s protocols for responding to a cyber breach.

“The only thing that’s surprising about that statistic, unfortunately, is that it’s much lower than what we actually find in the field,” says John Gomez. “Like a lot of the best practices we recommend, incident response planning is viewed as too complicated and expensive, or people don’t see the value of it. But the IRP is absolutely essential in preparing you and your organization for your worst day.”

Cyberattacks evolve; so should your IRP

What Gomez and other cybersecurity experts are talking about, however, isn’t a thick binder that gathers dust on a shelf and is all but forgotten when an actual IT breach occurs.

Think hospital or community disaster response plan, where emergency departments, first responders, and community leaders physically train by enacting the casualties and chaos of an actual natural disaster or a manmade situation like an active shooter, complete with actors playing the roles of real victims.

Those drills and that level of training are only effective because of a response plan that leaves nothing to question.

In fact, it was hospitals and special ops teams that Sensato’s experts studied in designing their incident response planning programs and best practices.

Like Planning for War, Because It IS

“We wanted to rewrite the book on incident response. We took a nontraditional approach, using elements from hospitals, SWAT teams, the military, to create our platform,” says Gomez. “We know that no plan survives first contact, to borrow a military term that’s very true. So we thought, let’s not have a plan, which is static; let’s have a platform, which evolves as threats and organizations evolve.”

Sensato’s approach includes determining and documenting all of the following:

• Who will be in charge during an IT security breach
• Who all will be involved – internally and externally
• Contact information for every team member – internal and external
• How the incident response team will communicate – in the event that phones, email, and other channels are compromised 
• What assets are considered top priority – patient care/monitoring systems, patient information, billing/financial systems, etc 
• A full and living list of potential threats and incident scenarios – including the likely goal of each type of attack
• Your organization’s definition of “incident” – does an attack attempt need to be successful to trigger an incident response?
• The primary goal of incident response – protect patients, restore operations, protect patient information, etc
• Protocols -- detailing the specific action each member of the team will take in response to a breach
• Key performance indicators (KPIs) – how you’ll determine whether your incident response time and tactics were successful

Key on that list is the protocols. Much like those used in medicine, law enforcement, or the military, protocols are highly detailed standing orders outlining exactly who will do what, how to do it, what equipment or programs to use, etc. Protocols are not broadly applied instruction, but step-by-step standards for each team member to know and follow.

Get to Know the Attackers

Also critical to that list is the priorities for protection. “We teach people to think in terms of their highest value targets,” says Gomez. “We reverse engineer from there and ask, what’s the attacker’s goal? Knowing the motivation of an attacker is critical to understanding how you need to respond.”

One of the reasons understanding attackers’ motivations is so important is that most breaches involve people within the organization. The 2018 Protected Health Information Data Breach Report (PHIDBR) by Verizon found that 58 percent of cybersecurity incidents in healthcare involved insiders who breached systems for financial gain (48 percent), fun or curiosity in reading personal records (31 percent), and convenience (10 percent).

Each of those motivations provides valuable information that can help a healthcare organization in the design of its security systems and response protocols.

“People put a tremendous amount of energy into protecting themselves from external attacks, but insider theft is really the bigger threat,” says Gomez. “You tend to ignore activity on your networks by people within your organization that would set off all kinds of alarms if you saw the same activity from an external source.”

This level of planning is complex, but absolutely necessary, as we’ll see in our next best practices installment: training.

MD-COP will secure your data, devices, and network from targeted and “side effect” attacks.  Act quickly.