So your hospital has been breached; Here's what you must do now

Don’t panic, but don’t delay in finding out what has been breached and deciding on a course of action.
By Bill Siwicki
01:39 PM
Share
hospital breach

Cybercriminals have been very successful in the healthcare industry, and as a result, they’re not going to stop attacking. Data breaches are inevitable. As good as healthcare CISOs get in protecting health data, hackers can be even craftier to break through the latest in cybersecurity technology and practices.

So how should hospital infosec teams react when there is a breach? What steps should they follow to ensure a breach is under control? Cybersecurity experts who have seen their share of incidents and events have a variety of tips about how to put a lid on breaches and respond appropriately.

First of all, don’t panic, said Stacy Scott, managing director at Kroll, an investigations and risk mitigation firm.

[Also: Top 10 cybersecurity must-haves for 2017]

“Keep your security and IT leaders motivated to respond and solve the issue rather than pointing fingers and having staff blame each other,” Scott said. “They have the best knowledge of how your systems work and what normal behavior and activity should be and discovery capabilities you have in place.
Call forensic and legal experts that have handled breaches before and determine what you need to discover about the breach.”

At the beginning, it is very important to establish the ground truth – what has happened?

“What data has been lost, what’s the scope of the breach?” said Daniel Clayton, head of customer security at Rackspace, which offers HITRUST- and HIPAA-compliant hosting for healthcare. Clayton is a former intelligence analyst with the British Army. “Which parts of the business have been impacted? Identify an incident response leader, establish an incident room and gather the right people to determine who, what, when and how.”

[Also: Ransomware attack calls unlikely hero to action: Your neighborhood HIE]

Once the facts have been determined, the next step is to figure out the best way to stop or slow the bleeding, Clayton said.

“This will depend on the adversary and how long the breach has been active,” he explained. “If this is the first time they’ve come into the environment and have only been in for 24 hours or less with minimal actions taken, it’s advisable to cut off access immediately.”

If the breach has gone on for six months or longer, it’s likely they have multiple ways to get back into the environment, and it’s critical to assess those before the organization fully engages, Clayton said. If the compromise has occurred for a longer period of time, it’s critical to put some mitigating controls in place, but be careful as one may not want to totally cut off the adversary because if tipped off the attacker could go dormant – or worse, become malicious and destroy evidence, he added.

Remediation is an important step and should focus on the immediate technical issues that caused the breach but also consider other areas of the environment that may be vulnerable to a similar cyberattack.

“Think about how the breach happened and determine the attackers likely motives,” Scott said. “Was it focused on stealing data that can be monetized or was it aimed at interrupting business operations?”

As an example, say a breach occurred on a web-facing patient portal and protected data was stolen. A hospital should ask itself: Was this a complex and scripted attack or simple social engineering? What other information is accessible from the web? Are there vulnerabilities on these systems? Where else is patient data accessed externally or where could social engineering occur?

Once a breach is under control and steps have been taken to ensure the perpetrators are out of the system, further work must be focus on making sure such a data breach never happens again.

“You don’t have to divulge details of the breach or that one even happened to take the opportunity to educate employees and remind them of their role,” Scott said. “Remind them why security is not something to become complacent about. Many data breaches still occur due to unauthorized disclosure.”

Too many IT and security leaders keep things under wraps for fear of being seen as incompetent by an already demanding business user, she added. Flip the script and discuss what can be done to improve the situation and prevent something like this from happening in the future, she said.

“Healthcare IT and security staff should assume they will be attacked and prioritize the capability to protect data when that attack happens,” Clayton said. “The security operation needs to understand the threat landscape. Which threat actors target healthcare organizations? Which tactics, techniques and procedures do they use? Then build the specific capabilities that will enable you to mitigate those attacks.”

And time is critical, so hospital infosec teams should establish ahead of time what they are going to do, how they are going to react and who is going to be involved. And then practice.

“Response must become a drill, people make bad decisions under pressure and bad decisions in the midst of a cyber-event would be catastrophic for a healthcare organization,” Clayton said. “Live and realistic war-gaming is the most effective way to build the incident response muscle-memory that minimizes business impact in the case of a major cyber-event.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com