In this three-part series, Academic Health Care CISO Mitch Parker shares his insights on ransomware, incident response and best practices for building a world class prevention program. Read parts one and two.
As I mentioned in my previous articles on ransomware, I have spoken at numerous industry conferences and discussed the growing threat of ransomware with many of my peers. Through this ongoing dialogue, I have identified a number of key considerations and best practices for addressing what has become a serious issue in healthcare. I covered points 1-4 in the second installment of this series and will now cover the remaining points and summarize.
Fifth, healthcare organizations need to have a comprehensive educational plan. This should not just be a one-time email you send to the user community. This needs to be in your organization’s security awareness and training program, which should be updated at least yearly.
Security awareness and training are required under the HIPAA Security Rule. If you are audited due to a security incident, one of the first items that the auditor will ask for is your training program and evidence of completion by staff members. This plan should include at least one competency-based training section, and a training presentation for departments and organizations that covers core policies and procedures.
Sixth, your security strategy needs to include organizational integration. Although there have been a lot of arguments over the reporting structure of the senior information security executive in the organization, the key measure of their success should be their ability to work across traditional boundaries with stakeholders outside of IT.
A ransomware or security incident response plan is not useful if it only involves IT. You need to involve your identified key stakeholders across your organization in plan development, especially the Regulatory Affairs personnel, or else the plan will not be as successful as it should be.
The seventh key consideration is maintenance. Your organization ideally should identify its key applications; know who the key personnel are, and understand how to maintain them. These applications, along with the other computing devices in your organization, need to be kept up to date. If they can’t be maintained for multiple reasons, you need to segment these applications so they only have access to what they absolutely need to for business purposes.
Each of these applications needs downtime procedures, and you need to work with your customers and stakeholders to ensure that customers develop them, maintain them, and exercise them so that when an event occurs, they are prepared and able to function. The yearly Hazard Vulnerability Analysis required by the Joint Commission can be used to measure and evaluate this.
The eighth best practice is Defense In Depth. Your organization needs to implement a well-maintained strategy involving layers of defense at multiple levels to protect organizational assets, detect potential threats, and minimize damage to attacks.
This starts with risk assessments and finishes with the mitigating tactical implementations of anti-malware, network segmentation, firewalls, intrusion detection/prevention, SSL/TLS inspection, proxy servers, identity and access management, and other defensive tools to protect you. This strategy needs to be continually evaluated for effectiveness, and just buying something will not fix that.
The ninth, and most critical key consideration, is to stay informed. There are multiple channels where you can find information about cyber threats to the healthcare sector.
These include Infragard (www.infragard.org), the National Cyber-Forensics and Training Alliance (www.ncfta.net), FBI (www.fbi.gov), HITRUST CyberRX (hitrustalliance.net/cyberrx), National Health Information Sharing and Analysis Center (NH-ISAC) (www.nh-isac.org), the College of Healthcare Information Management Executives (CHIME) (chimecentral.org), and the American Hospital Association (www.aha.org).
You should also know who the other security executives in your market are, how to contact them, and attend local meetings of your ISSA, Infragard, CISO Executive Network, or (ISC)2 chapters to network and share threat information with each other.
If you follow these steps, you should be able to craft a strategy for your organization that will help you not only face the threat of ransomware attacks, but also have a plan in place for other security incidents.
With the ever-increasing amounts of security vulnerabilities, threat actors exploiting them, and emphasis on shipping products and fixing them later, there will always be attacks that have the potential for crippling healthcare organizations. Your strategy should be to have one, and not be reliant upon magic bullets to find and fix issues. Eventually, those tools will fail, and you will be left to rely upon your plans.
It’s important to integrate with your organization and develop plans and strategies to address the issue of ransomware and what to do when an event occurs and your defenses fail. This will help your healthcare organization meet its HIPAA/HITECH and Joint Commission requirements for Risk Management, Risk Mitigation, Information Management, and Downtime Procedures.