August 2017

Swift Response Can Limit Cyber Attack Damage
By Selena Chavis
For The Record
Vol. 29 No. 8 P. 18

Industry professionals weigh in on the characteristics of a well-honed response plan.

Cyber attacks pose a clear and present danger for today's health care stakeholders. In fact, the threat is so mainstream that many industry professionals suggest the question is no longer whether an attack will occur but when.

On an organizational level, response plans provide the foundation for an effective defense and mitigation strategy. Sharecare's Jim Bailey, president of the company's health data services business unit, says that although organizations of every size and industry are under a constant barrage of cyber attacks, "In the event that one of these is successful at breaching your defenses, a cyber response plan, or incident response plan as we call it, can drastically impact the outcome of the attack. The complexity of systems, networks, and applications can be difficult and time consuming to properly inspect and recover from a cyber incident."

Time is definitely not on a health care organization's side when a cyber incident presents itself, says Sandy Garfinkel, JD, founder and chair of the Data Security and Privacy Practice Group at the law firm Eckert Seamans Cherin & Mellott. "Breach response is a game that is played against the clock. The longer it takes to investigate the incident, round up response team members and decision makers, identify affected people, marshal resources, and create and issue notifications, the greater the exposure to an entity," he explains, adding that exposure comes from many directions, including private claims, regulatory investigations, and shareholder actions.

Therefore, readiness is critical to minimizing fallout, says Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and HIM policy with MRO, a disclosure management firm, adding that health care organizations must be vigilant and proactive in their efforts through incident response teams. "At MRO, we have a privacy and security incident response team and a data protection steering committee," she notes. "To be proactive, the data protection steering committee is looking at incidents that have happened in the health care environment and asking: What if this happens to us? We modify process and policy as needed to assure readiness."

Anthony Murray, CISSP, vice president of IT at MRO, says these kinds of specific "what if" scenarios are increasingly important to a well-honed cyber response plan. "What we are seeing is the need to really become more specific about events and the types of incidents that are occurring in the world today," he says. "Some of the reasons plans tend to fail is they have very general guidelines and general behavior. In order to really be effective today, what we want are very specific duties and responsibilities."

Without this kind of attention to a cyber response plan, Bailey says there are many consequences, including suffering a direct financial impact. There are indirect consequences as well. For example, organizations may have to expend resources to keep customers and business units updated on system impact. Organizations also can face fallout from downtime, containment time, recovery time to sensitive record breaches, and compliance or contractual penalties.

Cyber Response 101: Laying the Foundation
Cyber response should be part of an organization's general governance plan, Murray says. Industry professionals suggest the following components are foundational to any cyber response strategy: establishing an incident response team, preparation and prevention, procedures following incident identification, and response protocols.

Incident Response Team
According to Garfinkel, a high-performing team consists of the following:

• a corporate team leader;
• legal and/or outside counsel;
• IT;
• communications/public relations; and
• risk management.

Depending on the nature of the incident, other departments and outside resources are typically necessary. For example, if an organization has cyber liability insurance, Bowen points out that the carrier will need to be notified.

Preparation and Prevention
Murray says often the best defense is a proactive offense. Health care organizations should put the time in to adequately build staff competency and then deploy the tools, technologies, and techniques needed to minimize "attack surfaces."

Procedures Following Incident Identification
After a breach or an incident is identified, Garfinkel says cyber response teams will need to answer key initial questions such as the following:

• Who will notify everyone on the team?
• Where will the team meet?
• How will remote team members be brought into the discussion?

Response Protocols
Once an incident is identified, response protocols begin immediately, Murray says, noting that team members must quickly confirm the incident and the source. Then containment and isolation begins. "This is where you begin your analysis and minimize the impact by limiting data that could be in danger," he explains. Teams can then move on to threat eradication, clean up, and recovery—or getting back to normal. Communication strategies for notifying to those impacted by the breach are enacted, followed by postincident analysis.

Garfinkel spells out the following seven response protocols:

• confirm the incident and source;
• identify cause, preserve evidence;
• remediate;
• enact communications plan—both internal and external;
• notify those affected and regulators;
• prompt internal reporting; and
• closure.

Murray says that, by and large, health care organizations understand and embrace these strategies, albeit in silos—often in departments that play a critical role in privacy and security. "The challenge in health care is: How do we spread that message across the entire organization? How do you get the operational people tuned in well enough?" he says.

Bowen says privacy and security is a responsibility of all staff, not just IT. "This way, if an event, such as a phishing e-mail occurs, then employees are knowledgeable, recognizing the event and reporting the event accordingly to the appropriate responsible party. To assist MRO employees in recognizing and assuring the validity of e-mail senders before opening attachments or clicking links, we have set all e-mails from outside of the MRO network to be marked with a statement identifying them as originating outside of the MRO organization," she says. "It's important to have that constant awareness."

Ongoing Maintenance and Sustainability
Bailey points out that health care security is a fluid situation in which all plans should be treated as "living documents," regularly undergoing review, updates, and tests. "Maintenance ensures vendors and key internal and external contact information are up to date," he says. "Additionally, threats are constantly changing, so they need to be addressed appropriately in the incidence response plan."

For example, if incident response team members are constantly in "firefighting mode," they will spend valuable time reacting and responding rather than updating and testing critical plans. Bailey says the value of the plan is diminished if it cannot be depended on for accurate content.

Murray points out that ongoing sustainability starts with executive buy-in that ensures the funds are available to deploy a properly staffed cyber response plan. To keep plans up to date and relevant, staff must be dedicated to staying ahead of state and local laws and specific changes in the health care space. "Plans have to be tweaked on an ongoing basis," he explains. "Ransomware is continually evolving. Organizations may need to bring in new technologies that address changes and new threats."

Only a year and a half ago, MRO's response to ransomware, specifically, was not very formalized, Murray says. As the organization walked through an infrastructure refresh, it took the opportunity to build up technologies and recoverabilities that would provide a much more granular recovery point objectives. This would enable more rapid data backups, much greater precision, and quicker restoration. Now the organization has a more formalized ransomware plan that helps keep it from landing in a position where it would have to negotiate for data or accept a loss of data.

Garfinkel says that while there are publicly available resources to help entities formulate a cyber incident response plan, the best approach is to utilize the services of a lawyer with experience in incident planning and response. "This gives companies the best opportunity for providing an effective plan that is tailored to a particular entity's structure and purpose," he says.

The Critical Role of Testing
Industry professionals agree that cyber incident response plans are most effective when they are practiced prior to the occurrence of an actual incident. "Again, speed is of the essence in cyber incident response, and drilling on the execution of the plan makes a company that much more nimble and prompt when an actual cyber incident occurs," Garfinkel says.

Without testing an incident response plan, Bailey says an organization is largely negating the reason for having one in the first place—quick, appropriate, and thorough response. "Time wasted in the event of an incident because the plan hasn't been tested or is outdated could be time spent investigating, containing, and eradicating the issue," he points out. "This poses a direct financial impact where every minute of downtime equates to tens of thousands of dollars in lost revenue for many systems."

Murray notes that testing helps keep processes and protocols fresh. It allows organizations to ensure all team members know the role they play and determines whether each role makes sense in execution. "You can't do that by just documenting it out and going over it once a year with people in a room," he says.

Making Changes on the Fly
Ongoing maintenance and testing strategies position health care organizations for the best possible response, although Garfinkel acknowledges that most data security experts believe hackers are ahead of the game in terms of technological sophistication and pure creativity. "We cannot realistically hope to keep up with cyber criminals, who continually demonstrate their ability to breach almost any system," he says. "Attacks are constant and ubiquitous, occurring in every type of industry and in every size and type of entity."

It's difficult to account for every possible scenario, therefore "adaptability is a must," Bailey says, adding that security analysts cannot always make predefined protocols fit every incident. "The plan should account for the most likely threats but allow for certain secure deviations and management exception processes," he explains. "The threat actors aren't playing by the rules, so it's necessary to have a plan able to counter their moves."

Garfinkel points to the recent surge in ransomware attacks, which are different from more traditional malware attacks that seek only to extract information. "Flexibility and quick thinking are needed to respond effectively, as 'curveballs' are more the rule than the exception. A team leader, working in conjunction with legal counsel, should be prepared to go off-script when circumstances require," he says.

All health care organizations should be aiming for constant improvement, Bailey says, noting that threat vectors should be under continuous evaluation. "Penetration testing, open bounty programs, internal testing, and following critical security publications allow an organization to stay ahead of current threats and work on efforts to counter them," he says. "Daily, weekly, and monthly tasks are carried out by security analysts just to identify and counter these new threats."

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.

PRIVACY AND SECURITY: MORE THAN CYBER RESPONSE
The uptick in cyber attacks means health care organizations must be in a constant state of vigilance. Yet industry experts are quick to point out that privacy and security is much more than cyber response. A recent incident yielding a $2.4 million fine at Texas-based Memorial Hermann Health System underscores this reality.

The settlement, along with a corrective action plan, is the result of the improper disclosure of a patient's name to the media in 2015. After a patient presented a fake Texas driver's license at an appointment, Memorial Hermann staff reported the suspected forgery to police. Health and Human Services launched an investigation after news accounts reported the incident as a possible violation of the patient's rights, and concluded that the health system had acted within the bounds of the law.

However, Memorial Hermann later issued a press release defending its actions that included the patient's name. That disclosure did, in fact, violate HIPAA.

"It's one of the dangers of linking this all to cyber and computer incidents," cautions Anthony Murray, vice president of IT at MRO. "It highlights the fact that privacy and security is and has to be an enterprisewide conversation, and everybody has to have accountability to the process. You want to make sure you are giving your employees the right tools to make good decisions, especially when there is an adverse event."

Sandy Garfinkel, founder and chair of the Data Security and Privacy Practice Group at the law firm Eckert Seamans Cherin & Mellott, says the timing of the improper disclosure of the patient's name did not occur in the heat of responding to an incident. Instead administrators appeared to have made the mistaken assumption that other public disclosures of the patient's name relieved the hospital of its duty to maintain confidentiality. "Therefore, this is a case suggesting the need for more careful training of communications personnel on the laws and regulations governing privacy of patient information than an issue one encounters during the scramble of a cyber incident response," Garfinkel says. "That said, communications and public relations departments are a crucial part of the cyber incident response team, and their external messages should be vetted by appropriate team members and legal counsel before they are publicized."

— SC