At the end of Cybersecurity Awareness Month 2021, CyberMDX spoke with healthcare system cybersecurity leaders about what they think matters with respect to creating and implementing an incident response plan.
For many hospitals, a cybersecurity incident response plan is an afterthought and their most effective way to deal with a breach is total network shutdown. Unlike other industries, however, a network shutdown in a hospital is more than a financial disaster. It also means that preventative and critical care can not be delivered to patients that may need it. Urgent care will need to be re-routed and lives are put at risk.
As ransomware attacks in healthcare become more sophisticated, the risk to patients and the business are escalate as well. Nearly everyone we spoke to agreed that regular incident response drills are critical. They also stressed that incident response drills should be documented and measured so that the response to a breach can improve with each exercise. Extending these drills to include your organization's emergency management team at least once a year will engage all parties that would be involved so they will be prepared for an actual attack.
The Cyber Ops team at a small California health system told us that they run a war room to simulate any previous known incidents and make response and recovery steps part of the team’s “muscle memory” so that nobody goes into panic mode when the next attack happens.
Many of these cybersecurity leaders pointed out that physicians are among the most frequent targets of cyber-attacks because they have access to patient records. They are also among the most vulnerable to a cyber-attack. As one CIO we spoke to said, “a physician is the first person that a hacker will go after because they will open any email”.
Among the more interesting comments we heard came from the Chief Privacy Officer of a large health system in the Northeast. He emphasized the importance of executive leadership understanding and providing support for the time and effort that is needed to create a comprehensive incident response plan. He noted that a solid approach to getting executive support requires accurate articulation of the operational and financial impact of a ransomware attack. Once that is effectively understood, they are far more likely to support a request for the funding and resources to prevent a cyber-attack.
One major piece of developing an incident response plan is to obtain a detailed and accurate inventory of all the connected medical and IoT devices on the hospital’s network. Outdated devices are especially vulnerable and can easily be breached by hackers. These devices should be segmented especially if they are important or rendered obsolete (i.e., not in service). Newer devices can be breached as well, so having a program to inventory, update, and monitor all connected devices will close off thousands of potential attack vectors and allow the hospital staff to respond much quicker to a potential cyber breach.
The CIO of an acute care services provider expressed concern about an increasingly fragmented vendor landscape that only increases the complexity of closing off those attack vectors. He also pointed out that some devices are still considered gold-standard even though their technology is out of date; so securing those devices is a real challenge. Nearly all the leaders we spoke with acknowledged the challenge -- and how it further magnified the need to have an incident response plan in place.
Older medical devices that cannot be updated are still being widely used, as the Cyber Operations Manager of a small California health system pointed out. Many hospitals are making concessions to keep those devices in use. She added that there are challenges with how to prioritize which devices are replaced first. Eliminating these blind spots prior to an incident occurring will minimize a hospital’s risk and should be an area of focus for improving cybersecurity posture.
In the end, all of these leaders understood the complexities involved in developing an incident response plan. Not surprisingly, they also acknowledged the need to ensure this process be worked out well in advance of a cyber-attack.
How do they make that happen? What does not get done if resources are moved to cyber risk from areas that are cost-cutting or revenue generating initiatives? Who does what and where can internal teams come together to overcome budget and staff obstacles? What is the plan?
The conversation continues.
For More Information:
If you want to learn more, below are several sources for your reference.
- White Paper – Obstacles & Opportunities Around Medical Device Security & Visibility
- Vulnerability Advisory – CyberMDX Research Team Discovers Vulnerability in GE CARESCAPE, ApexPro, and Clinical Information Center (CIC) Systems
- Podcast – Protecting Medical Devices from Cyber Attacks
- Video – How Hospital Hacks Happen – Internal Access Points