In this three-part series, Academic Healthcare CISO Mitch Parker shares his insights on ransomware, incident response and best practices for building a world-class prevention program. Read part one.
As a preamble to this list of key considerations and best practices, let me first say that all organizations should plan to be attacked. While there may be many solutions in the marketplace that claim to stop ransomware, eventually they will fail. There will always be an exception to the rule that will make it past your defenses and cause damage.
You need to be able to react, and not point the finger at a product for not protecting your network. You need to have Defense in Depth and comprehensive incident response and downtime plans for addressing your HIPAA/HITECH and Joint Commission requirements. Neither a solution nor a one-page document claiming the solution protections will satisfy these requirements.
First, you need to have good incident response teams to be able to handle these events. When we developed our teams, one of our key goals was to have a cross-disciplinary team that included our IT department, communications, emergency management, and nursing in order to ensure we had input and support from critical stakeholders in both IT and the rest of the organization.
We also had a Tech Team made up of the customer support, tech services/system administration, and networking teams to triage issues. This is critical for managing both the application and technology aspects of an attack.
Secondly, you need to understand how your organization communicates. One of the major issues with security is that there are often multiple communications methods to reach the right people. When we brought in the communications, emergency management, and nursing team members, we adapted our incident response plan to utilize the Hospital Incident Command System (HICS).
This step allowed us to hook into the existing communications infrastructure, and most importantly, a leadership communications structure that we could utilize to notify people of the event. Most importantly, it puts incident response into a structure that health care organizations already know how to use.
However, IT departments need to make sure that there is a “point person” designated to interface between them and the HICS leadership structure for ransomware attacks, and that the person understands their role.
Third, it is critical to hold tabletop exercises to gauge readiness. You need to know where the gaps in your organization are so you can resolve them. You need to understand how your organization works, and where the gaps are at so your team can build the plan. You also need to understand who to empower to make decisions, and why.
Fourth, you need a comprehensive incident response plan. This incident response plan needs to address the following areas:
- Initial Triage – how to determine whether a PC on your network has been infected and what channels will be notifying you
- Tech Team Notification – how to notify key tech team stakeholders that there is a potential ransomware attack
- Asset Discovery – identifying key asset information (PC Name, IP address, MAC address, physical location, jack number/switch port)
- Quarantine – how to isolate this PC from the rest of the network to prevent further damage and minimize business impact
- Also, you should include how to isolate any potential evidence for law enforcement or information security
- Footprint Discovery – identify what mapped network shares and applications the infected resources had access to
- Footprint Examination – comprehensive examination of resources to determine impact.
- Develop a checklist for your organization to examine critical applications and resources in addition to just mapped drives
- Determination – make the determination as to whether or not you have been attacked
- Application Owner Notification – notify the application owners of any affected resources of the issue and its impact on their application resources
- Containment – determine how to best contain the infection and make the recommendation to your “point person”
- Application Triage – triage damage and prepare initial estimates, along with downtime and Mean Time To Recovery (MTTR)
- Stakeholder Notification – notification to organization stakeholders, such as the administrator on call, that there is an impact, and for them to communicate with their key teams
- Customer Communication – notify customers that there is an issue and provide instructions on what to do
- Ideally provide this out of band using secure text messaging and have templates ready with your communication/call center
- Downtime Procedures – have affected customers go to downtime procedures for the affected processes and applications until successful restoration and testing
- Application Restoration – restore affected applications to a usable state, test their status, and periodically update customers on status, including what may and may not be functional
- Restoration of Service – end of Incident
Solid communication and incident response plans are key to addressing ransomware attacks, but there are a number of other key considerations that should be built into a strong security program. In part three, I will go through the remaining best practices and key factors that I have identified after extensive discussions with other security executives and industry thought leaders.