Slideshow 4 ways hospitals should respond to hacker strikes

Published
  • June 10 2016, 8:28am EDT
12 Images Total

4 ways hospitals should respond to hacker strikes

Provider organizations need a plan to minimize damage, react constructively.

The Day After: How Hospitals Should Respond to a Cyber Attack

Cyber criminals try to hack providers for a variety of reasons—they may want personal medical records; associated information of value, such as debit and credit cards numbers and Social Security numbers; and even biomedical research for intellectual property theft. A new report from KPMG, “The Day After,” examines a four-phase approach to remediation that organizations can use in the hectic hours after discovering a cyber attack. Those phases include react, respond, transform and sustain.

Content Continues Below


What not to do

Often, organizations respond in ways that help attackers—for example, they report a breach before understanding where the threat originated, what the goal of attack was, and which parts of the infrastructure that were compromised. “It is critical to get a handle on an attack’s total scope,” KPMG says. “Another mistake is tipping one’s hand to the attackers too early. Letting attackers know they’ve been detected could cause them to utilize more covert communication mechanisms that make it harder not only to expel but to detect them.”

React: Understand what happened

After a breach is discovered, take time to understand the scope of infiltration. Collect and preserve evidence using forensic methods. This phase identifies points of exfiltration, assesses the extent of damage and brings in law enforcement.

React: Take a pause

The main goal is to detect and stop further damage. Only addressing the actual identifiable problem too soon may stop damage locally where an attack is discovered while allowing it to continue in other parts of the infrastructure, according to KPMG. For example, an attacker who’s gained administrative-level access can continue to steal patient records and intellectual property for months or years.

Content Continues Below


Look back

Don’t just focus on what is happening now, but look back to find previously undetected reconnaissance attacks on the internal network as well as the original delivery and exploitation methods. “Some detection methods include packet-level analysis of network logs and behavior/static malware analysis of suspicious binaries.”

Respond: Address concerns and security gaps

A response plan should begin before an attack even occurs, with a governance program that defines how tactical remediation will be handled. A key component of that program is a root cause analysis that studies vulnerabilities in systems, holes in external-facing servers and potentially compromised machines, even if unrelated to the attack.

Respond: Add appropriate new defenses

The goal of the plan is to ensure the current root cause is addressed while improving the security posture by adding more sophisticated monitoring and analytical capabilities; looking at next-generation authentication procedures; revamping incident response plans; getting support from weekly cyber intelligence meetings; and upgrading forensics labs, equipment and staff.

Content Continues Below


Transform: Improve organizational perspectives

“Use successful attacks as catalysts to build cybersecurity into an organizational imperative,” KPMG advises. “A CISO should be appointed, a security operations center should be implemented, and a response plan should be created and tested. A comprehensive technical remediation program should be devised to address vulnerabilities stemming from access control, encryption, unsecured medical devices and lax technology usage policies.”

Transform: Define security

Security programs should not focus on defending the network but on protecting sensitive patient data. “Classifying data, mapping it to regulations, controlling who has access and when, and moving to next-generation authentication measures should all be part of a cybersecurity transformation solution undertaken during the first year after an attack,” KPMG says.

Sustain: Constantly monitor

Even if an organization survives an attack without sustaining lasting operational and reputational damage, efforts cannot stop. It should implement a monitoring program to halt future attacks early.

Content Continues Below


Never take your eye off the ball

Dedicated staff should be assigned to security tasks and held accountable for results, according to KPMG. “Metrics and key risk indicators must be measured and reported on a regular basis. Finally, all activities should be assessed and adjusted at regular intervals.”