By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
When will a healthcare organization suffer its first or next cyberattack? The phrasing of that question is intentional because reality has certainly moved into the “it’s a matter of when” phase and the “if” option is gone. Given that an attack needs to be expected, what is occurring to enable a ready to go response?
Having plans, such as a disaster recovery plan or breach mitigation plan, is one key component. Not only are those plans good idea, but the HIPAA Security Rule calls for them to be in place. That means skipping the step of developing recovery plans will become quite problematic down the road when the inevitable attack occurs and OCR investigates afterward.
Let’s take an operational viewpoint that plans are in place. Is that enough? The short and easy answer is no. The plans need to be tested and operationalized. How can that be done?
Enter Table Top Exercises
One way to test recovery plans and develop much needed muscle memory to perform when an event occurs is to run exercises that simulate an attack and trigger the steps laid out in a plan.
Do many healthcare facilities or other traditional players in the healthcare industry regularly run these exercises? Probably not because they can be time intensive both from a planning perspective and then actually running the game. The exercise can be very important and informative though because the insights learned can show weaknesses, unexpected strengths, and just generally get folks used to thinking about what to do in the face of a cyber attack.
A cybersecurity company recently ran a table top exercise at a black hat conference, which produced a lot of valuable data points. The exercise established a scenario where hackers took a hospital offline. The hacking team was given the goal of infiltrating the hospital’s network and remaining undetected for as long as possible in order to take as much data as the group could get. As reported, the hacking team deployed multiple measures to make it harder for the hospital to detect what it was doing. The activities included (i) moving data laterally between internal networks not just in and out, (ii) stealing admin passwords to enable legitimate logins, and (iii) duplicating all stolen files first to make it harder to notice what was taken.
While all of the hacking activity was occurring, the hospital team isolated the affected systems and reaching out to the “FBI” for help once the problem was identified as a ransomware attack. However, the hospital group did not fully turn off all systems because of the reality that doing so would impact patient care. As noted, this limitation is unique to the healthcare industry, but one that must be overcome, not just acknowledged.
The end result was the reinforcement of the understanding that attackers have a much easier job when it comes to cyber issues in healthcare. The attacker only needs to get into a system and then it can cause all sorts of havoc. The healthcare organization needs to balance mitigating the harms of the attack with causing as little detrimental impact to patient care as possible.
Familiar to Technology?
The idea of running a table top exercise is not new. It is a concept that has been around for a while and may even be a requirement for a technology to engage in. Where could that requirement come from? If a technology seeks SOC 2 certification, there is an obligation to demonstrate that all plans are in place including confirming that the plans can work. How can that be accomplished, doing an exercise to test it out.
Having personally participated in some tests, the test run of implementing and following the responses and recovery plans is very informative. For example, the exercise can show where additional training will be helpful and where possible weaknesses lie by not having sufficient back up. The lessons learned then enable refinement of the plan.
How to Implement
Implementing good testing certainly takes a lot of time and effort. First, there’s a need to actually come up with the concept for the exercise and begin to identify how to assign different roles. Then comes the issue of actually finding the time to run the exercise. Once the exercise is launched, then there is also the issue of how to divert participants’ attention away from daily operations. The complexities involved underscore why actually running an exercise may be difficult in reality.
Despite the difficulties though, the benefits to be gleaned from an exercise weigh in favor of going through all of the effort. It is not necessary to run an exercise with too much frequency and the scope of the exercise can also be adjusted. For example, a comprehensive one involving many teams could be done once a year while smaller more targeted ones could be done more frequently. It is a matter of what the organization wants to stress test and who it wants to ensure is gaining the training necessary to respond when a cyberattack really occurs.
Promoting Security
All of the activities come down to promoting and embedding security into all operations across every organization. With the threat of a cyberattack a daily concern, all must be ready to only respond, but proactively know the signs of how to detect an issue. By continually educating and arming individuals in an organization with knowledge, the organization can demonstrate that it takes risks seriously and is working to minimize the impacts when it experiences the unwanted event.
This article was originally published on The Pulse blog and is republished here with permission.