In May the Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) collectively created a tactical guide for how healthcare organizations can manage their cybersecurity threats during a crisis like COVID-19. During a crisis, the way your company works, specifically your technology and processes, can change dramatically. These changes create new attack surfaces and vulnerabilities.
The Health Industry Cybersecurity Tactical Crisis Response Guide (HIC-TCR) is a 30-page manual created to advise health providers on tactical response activities for managing the cybersecurity threats that can occur during an emergency. Smaller organizations can use it as a list of activities to consider implementing, and larger organizations can use it as an evaluation of their already-existing plans.
We explored the Guide and highlighted some key areas that correlate with best practices we see across our clients’ industries.
The biggest takeaway is this: you absolutely need to bring in your IT provider or staff and ask them “What are we doing in these areas?” Making sure you have a plan can avoid the downward spiral IT security typically takes in a crisis.
Four Focus Areas
The HIC-TCR outlines four main areas to leverage techniques, practices, and activities during a crisis. If you’re familiar with NIST’s Five Functions of the Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), these should resonate.
Education and Outreach
Any proper response begins with communication. The Guide stresses the need for communicating using multiple methods, channels, and with different groups based on needs.
The Guide suggests your communication plan should include the following components:
- Organizational Leadership Communication Plan
- IT Leadership Communication Plan
- Clinical Leadership Communication Plan
- All Users Communication Plan
- External Communication Plan
Policy & Procedure Review
The Guide reminds organizations that “exceptional circumstances might pressure existing policy structure. Though it is important for cybersecurity teams to be flexible...they also, at a minimum, must track these exceptions during any crisis to guide the organization back to normalcy once the crisis is over and inform continuous improvement processes.”
The Guide suggests ten elements to consider when modifying policies:
- Collaborate with emergency management, Legal, Compliance, IT and related stakeholders
- Consider regulatory obligations and enforcement resumption
- Review and update these policies: Remote Work, Access Control, Acceptable Use, Password, Multifactor, and Identity Governance
- Consider policies that allow collaboration with external / third-parties to improve operations
- Document any changes to your Security Assessment so you can revert those changes after the crisis, if needed
- Allow for temporary or permanent deployment of file sharing technologies, but track and assess these for improvements and security
- Consider augmenting your IT or cybersecurity staff in order to scale up, meet demand
- Update policies around adding volunteers or temporary staff
- Update policies around physical security of IT assets or mitigating controls
- Update procedures on quickly and securely activating/deactivating locations to support operations
Prevention is the goal. While your organization should already have certain preventive safeguards in place (e.g. access control, firewalls, etc.), this section of the Guide focuses on enhanced protection for five specific areas:
- Limiting Potential Attack Surfaces
- Bolstering Remote Access
- Leveraging Threat Intelligence Feeds, Sources, and Confidence Levels
It’s been said often: “security teams must defend every entry point into an organization’s assets, but a hacker only needs to find one.” The section of the Guide on limiting potential attack surfaces includes helpful techniques around: vulnerability management, accelerating patching, medical device security, vendor management, and endpoint protection.
Remote workforce operations increase during a crisis, and sometimes they’re the primary communication means. The Guide recommends securing your remote access through multi-factor authentication (such as with VPN, RDP, VDI) and general authentication (such as limiting single-factor vendor/system account access)
Finally, your organization’s threat environment can change quickly during a crisis. Leveraging threat intelligence feed technologies, such as Trusted Automated eXchange of Indicator Information (TAXII), next-gen firewall feeds, or SIEM and SOAR systems, can automate the blocking of known malicious threat actors. The Guide lists several credible feed sources, including H-ISAC, CISA AIS, and SANS.
Enhanced Detection and Response
As you’ve seen at your organization and others, however, not all attacks are preventable.
Your organization must be able to detect successful attacks and respond quickly.
This could include updating your detection schemes by adding or improving existing technologies, and improving your incident response team by granting the authority to direct others’ actions in order to take command during a crisis.
Your detection capabilities include visibility into logs, so make sure you leverage your central repository or SIEM for things like remote access (VPN, Citrix, VDI, RDP, etc.), firewall, multi-factor, Windows Active Directory / LDAP / Central Authentication Systems, and network access control logs.
Once you have your alerts and logs sorted, monitor things such as failed logins, failed multi-factor, check remote device encryption and patching, and establish and monitor your network traffic baselines.
Here are some considerations for your Incident Response team:
- Quickly remove malicious e-mail messages, files, or attachments from email systems,
- Reset user account passwords that have been victimized by phishing attacks, and reset all active connections associated with those credentials
- Feed phishing attacks with honey credentials and track the source IPs that are attempting to access your organization’s assets
- Remove endpoints from the network (wired, wireless and remote) that are identified with malware
- Update your firewall rules and block known malicious IP addresses detected through your detection mechanisms
- Update signatures to detect and block malicious files or traffic before it can access or execute on a host
- Block malicious domains and IP addresses so that hosts cannot resolve and communicate with those remote endpoints
Take Care of the Team
Teamwork is a necessity, and is even more critical as situations can change rapidly during a crisis.
Taking care of your team means ensuring your organization’s plans can adapt to the remote work environment to continue business operations, and that the safety and well-being of the entire team is protected while maintaining privacy among employees.
During a crisis, mental and physical health, job security, and financial stability are your employees’ top concerns. You can address these concerns by communicating early and directly with your employees and sharing what your organization will do to support them as things unfold.
For communication, identify your primary and backup communication tools and backup plans with the team. Use a platform that provides informal and consistent collaboration and conversation, such as Zoom or other platforms that offer video and chat. Establish a regular meeting frequency for group and individual conversations and tailor information to employee sub-groups as needed.
Clearly define staff roles, especially changes that stick as a result of the crisis. Communicate staff responsibilities within and outside of your department to stakeholders. If needed, secure some temporary staffing to supplement workforce roles or duties that aren’t being met.
Your employees' health should be your top priority. Monitor your team’s conditions and their environment and stay in touch with your people and listen to their concerns. Consider things like:
- Making sure communication addresses employee and family needs of those impacted by the crisis. Your team members may need additional time or may not be able to fully engage in their work.
- Creating a two-way communication channel to get feedback from your team on a regular basis to ensure their needs are being met.
- Monitor and limit work shifts to less than 12 hours if possible. Long shifts can lead to a disturbed body-clock, shortened and distorted sleep, more errors, reduced productivity and morale, turbulent family and social life, and a mindset that discounts cybersecurity hygiene and safety.
- Communicate prioritization of your team’s well-being to reduce burnout, keep your team engaged, and reduce stress.
For your remote workforce, share work tips and tricks around developing activity schedules, having a designated workspace and setting work/life balance, while encouraging exercise and breaks. Provide your team with regular remote information security guidance and make your team aware of existing policies that apply to remote work.
Acknowledge and recognize that remote work can increase isolation, anxiety, and other feelings. Ensure your team feels appreciated. Provide them the necessary equipment, resources, tools, connectivity or possibly temporary workspace they need to perform at their best. Assign projects and tasks requiring collaboration with other team members to keep the team connected. Consider offering additional training, town halls or guest speakers to help employees feel engaged, and support continuous learning (and maintain that continuing education requirement!).
This Guide is a great, top-down whole-program approach to an organization’s crisis response. It caps off everything with a list of resources available to all organizations to help with planning response and surviving the melting point of a crisis.
If you’re a hospital or practice, our blog on COVID-19 Impacts on HIPAA is a condensed timeline that addresses HIPAA-specific updates you should be aware of.
If you want to talk about how we can help you address the items in this Guide through a HIPAA Security and Privacy Assessment, please let us know.