You could say that an incident
response plan (IRP) is the equivalent of Einstein’s 55 minutes and the actual
incident response is Einstein’s 5 minutes.
“Most people have no idea just how
fast a cyberattack takes down a network and how much damage it can do,” says
Sensato CEO John Gomez.
So, ask any cybersecurity expert to share
their best practices for IT security, and development of an incident response plan
will be at the top of that list.
Yet, a recent survey of healthcare and
life science leaders by KPMG
revealed that more than half (51 percent) of them either didn’t believe that
their organization had an incident response plan, or they were not aware of
their organization’s protocols for responding to a cyber breach.
“The only thing that’s surprising
about that statistic, unfortunately, is that it’s much lower than what we
actually find in the field,” says John Gomez. “Like a lot of the best practices
we recommend, incident response planning is viewed as too complicated and
expensive, or people don’t see the value of it. But the IRP is absolutely
essential in preparing you and your organization for your worst day.”
Cyberattacks evolve; so should your IRP
What Gomez and other cybersecurity
experts are talking about, however, isn’t a thick binder that gathers dust on a
shelf and is all but forgotten when an actual IT breach occurs.
Think hospital or community disaster
response plan, where emergency departments, first responders, and community
leaders physically train by enacting the casualties and chaos of an actual natural
disaster or a manmade situation like an active shooter, complete with actors
playing the roles of real victims.
Those drills and that level of
training are only effective because of a response plan that leaves nothing to
In fact, it was hospitals and special
ops teams that Sensato’s experts studied in designing their incident response
planning programs and best practices.
Like Planning for War, Because It IS
“We wanted to rewrite the book on
incident response. We took a nontraditional approach, using elements from hospitals,
SWAT teams, the military, to create our platform,” says Gomez. “We know that no
plan survives first contact, to borrow a military term that’s very true. So we
thought, let’s not have a plan, which is static; let’s have a platform, which
evolves as threats and organizations evolve.”
Sensato’s approach includes determining
and documenting all of the following:
- Who will be in charge during an IT security
- Who all will be involved – internally and
- Contact information
for every team member – internal and external
- How the incident response team will communicate
– in the event that phones, email, and other channels are compromised
- What assets are
considered top priority – patient care/monitoring systems, patient information,
billing/financial systems, etc
- A full and living
list of potential threats and incident scenarios – including the likely goal of
each type of attack
- Your organization’s
definition of “incident” – does an attack attempt need to be successful to
trigger an incident response?
- The primary goal of
incident response – protect patients, restore operations, protect patient
- Protocols -- detailing
the specific action each member of the team will take in response to a breach
- Key performance
indicators (KPIs) – how you’ll determine whether your incident response time
and tactics were successful
Key on that list is the protocols.
Much like those used in medicine, law enforcement, or the military, protocols
are highly detailed standing orders outlining exactly who will do what, how to
do it, what equipment or programs to use, etc. Protocols are not broadly
applied instruction, but step-by-step standards for each team member to know
Get to Know the Attackers
Also critical to that list is the
priorities for protection. “We teach people to think in terms of their highest
value targets,” says Gomez. “We reverse engineer from there and ask, what’s the
attacker’s goal? Knowing the motivation of an attacker is critical to
understanding how you need to respond.”
One of the reasons understanding
attackers’ motivations is so important is that most breaches involve people
within the organization. The 2018
Protected Health Information Data Breach Report (PHIDBR) by Verizon found
that 58 percent of cybersecurity incidents in healthcare involved insiders who
breached systems for financial gain (48 percent), fun or curiosity in reading
personal records (31 percent), and convenience (10 percent).
of those motivations provides valuable information that can help a healthcare
organization in the design of its security systems and response protocols.
“People put a tremendous amount of energy into protecting
themselves from external attacks, but insider theft is really the bigger threat,”
says Gomez. “You tend to ignore activity on your networks by people within your
organization that would set off all kinds of alarms if you saw the same
activity from an external source.”
This level of planning is complex, but absolutely necessary,
as we’ll see in our next best practices installment: training.
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.