Healthcare risk management

3 Ways to Avoid that Sinking Feeling About Your Incident Response Plan

3 min read

Managing your hospital’s IT and cyber security infrastructure isn’t an easy job, but it’s unique and presents different challenges every day. As you settle into your office one morning, you review critical issues and a few staff members mention the network is slow – much slower than normal. After some investigating, you realize there is an EMR outage, and your worst nightmare has come true. You’ve been hit.

… with a ransomware attack.

As reality sets in, you need to make decisions fast – what are you going to do? Your options are limited, and in the immediate term you take the bold step of shutting down the hospital’s entire network to contain the malware and mitigate any further damage.

For most businesses, a network shut down is a financial disaster, but for a hospital, it’s not only that. It means both preventative and critical care cannot be delivered to those that need them. For most businesses, a network shut down is a nuisance, but for a hospital, it means critical care can’t be delivered to those that need it.

Unfortunately, shutting down the network, fully restoring it, or paying the ransomware, is how many hospitals have to respond to a ransomware attack. In lieu of having a real plan that includes methods to identify, remediate, and mitigate the threat, many hospitals resort to what the bad actors force them to do.

From an incident response perspective – that should give you a sinking feeling. There must be a better way…right?

1. Take a Lesson from Crisis Management - “But This Ship Can’t Sink!”

On April 15, 1912, the sinking of the RMS Titanic occurred, resulting in significant human casualties with over 1,500 lives lost.

Having never planned for such a disaster, the captain and crew had no established process to deal with the aftermath. The ship was equipped with only enough lifeboats to save half of the people on board, even though it could carry enough to save everyone. As a result, decisions had to be made on the fly, and the lack of lifeboats, inequity in passenger treatment, and the tragic loss of life was met with shock and outrage.

In nearly every crisis, time is of the essence – you must react quickly to contain the potential damage, or risk longer lasting effects. The pressure of mitigating and resolving the threat leads to situations where people are hesitant to admit mistakes and accept blame, prolonging ultimate resolution of the problem.

A recent wave of cyber-attacks against hospitals demonstrates that they are ill prepared to deal with the aftermath of a breach. The Conti ransomware attacks in Ireland resulted in complete shutdown of all hospital IT systems and networks to contain the spread with staff relying on manual processes to continue operations over six weeks after that breach. Estimates are now in the “tens of millions” to repair the damage1.

2. Remediation Should not be a Deep Ocean - Decide Which Path to Take

In the 24x7x365 environment hospitals function in, network shutdown is more than just revenue shutdown. Access to critical patient data and life-saving equipment could be impacted, affecting the care and treatment of patients.

In an extended stoppage, hospitals are at risk for reputational damage, fines for non-compliance, and patient lawsuits.

Remediation is equally difficult – do you pay the ransom or attempt to restore IT services?

Paying the ransom is no guarantee of recovery. One study demonstrated that 80% of surveyed hospitals that paid a ransom experienced another attack, with nearly half of them believing the follow-on attack was committed by the original perpetrator2.

Restoring IT services likely involves replacing some (or all) of the following, and doing it in days:

  • Web, email, proxy, and database servers
  • Your employees’ laptops and PCs
  • The applications you use

That’s a highly costly option – both in terms of money and time.

It’s been said that a failure to plan is a plan to fail – history shows this to be true. Consider what’s holding you back and weigh that against what could hold you at ransom.

3. Tell Leonardo and Kate to Act Now. Don’t Put This Off.

The National Institute of Standards and Technology (NIST) has created a four-step methodology for incident response framework for hospitals to follow.

In other words – this is how you make your incident response plan NOT sink your ship.

Step 1 is preparation

Being prepared ahead of time allows for a quick response to an incident. Preparing involves having an inventory of all your assets, managed or unmanaged. This includes connected medical and IoT devices.

This is also the time to prepare a communication plan of who needs to be contacted when the incident takes place, and roles and responsibilities of each.

Step 2 is detection and analysis

You want to gather all the information you can about the breach. Determine where they are open ports of entry (RDP or SMB ports, websites, IoT devices) and if there are worm-able vulnerabilities.

Having a security tool that serves as a single source of truth – oversight of all your devices – is helpful, and can help you detect and analyze the incident quicker.

Step 3 is containment, eradication, and recovery

Make sure all public facing services (e.g., VPN, web servers, etc) and devices have the latest patches installed, and you have antivirus software installed on all endpoints. Also, inspect East / West network traffic to detect any malicious activity or deviations from your baseline.

Connected medical devices will require specialized tools to protect, as traditional vulnerability scanners will not be able to detect any anomalies on these assets.

You’ll also want to consider quarantining or isolating the compromised assets only, rather than completely shutting down everything. This allows the hospital to remain operational, while ensuring no further damage can be caused by the breach.

Step 4 is post-incident activity

This is where you apply the lessons learned from the incident to improve and close any gaps in your security posture. This is an ongoing process that also involves updating related processes and your communications plan.


Promise Me You’ll Survive

In the film adaptation of Titanic, Jack pleads with Rose using these words as he gives her a lifeline that she then must make the best use of to reach the lifeboats.

If you read the news these days, it’s not a stretch to think about the serious dangers posed to patient safety and move into plead mode with your management to get the security tools you need. That said, in the end, know that no process is perfect, and you may not be prepared for all incidents. The evolution of threats is such that we should expect a breach at some point, so keeping your incident response plan up-to-date and relevant requires constant attention.

One last thought. The number of lifeboats on the Titanic accommodated just 1,178 of the 3,300 people on board. Clearly, simple planning for safety before something happens can make all the difference.


For More Information:

If you want to learn more, below are several sources for your reference.


1 Threatpost, May 18, 2021
2 Cybereason Report: Ransomware: The True Cost to Business, June 2021