Cybersecurity incident response: Plan now to avoid finger-pointing later
As the number of cyberattacks continually swells within the healthcare industry, the inadequacy of understanding and response to this growing threat is becoming more and more detrimental and not just to hospitals themselves but, perhaps more importantly, to patients.
Nolan Garrett, principal and CTO at Intrinium and former CISO for Children’s Hospital Los Angeles, said healthcare is still in the infancy of establishing a solid information security practice, not to mention making solid incident response plans the norm, not the exception.
“Most orgs incident response plans are severely lacking or not even followed,” Garrett said. “This leads to more spending on incident response and longer periods of time elapsing before a breach is detected and contained, thus jeopardizing more patient info and risking higher OCR fines.”
Additionally, he said healthcare is still relatively immature from an information security perspective, with most info security officers still focusing on the basics of buying software security tools. They don’t always think about processes needed to make sure tools are used properly and optimally, Garrett said.
“All the millions of dollars that these organizations spend to buy endpoint security tools and patch management tools, that can really go to waste if you don’t have a solid plan for how you are going to use them if an event occurs,” he added.
He recommended crafting specific response plans, such as a stolen laptop or an external website compromise. Then infosec teams should share what that incident response plan should look like with employees, educate the other members of their organization and stress its importance. And then test it to be prepared when an incident or breach occurs.
“It’s far more complex in healthcare, as there are more systems to protect and more vendors at play, but it can mitigate damage and fines that can occur when you lose PHI,” Garrett said. “An incident response is one of the most critical piece to limiting damage from breach and is a core HIPAA requirement,” Garrett said.
He also said response plans should have buy-in from all senior leadership at an organization, so if an incident occurs time isn’t wasted arguing and pointing fingers -- something Garrett said he’s seen firsthand.
“You’ve got the compliance officer and the marketing officer and the CFO bickering at each other trying to figure out what to do instead of executing on protecting the patients,” he said.
Nolan Garrett will be speaking in the session, “Incident Response Lessons From The Front Lines” at 4 p.m. March 8 in the Venetian, Marcello 4401.
An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.