Getty Images

HSCC Creates Operational Continuity Checklist For Navigating Cyberattacks

HSCC’s latest guide provides tips for maintaining operational continuity amid a serious cyberattack.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released a checklist to help healthcare staff and executives preserve operational continuity while recovering from a serious cyberattack. One week prior, HSCC released guidance on medical device vulnerability communications.

Healthcare organizations can use the Operational Continuity-Cyber Incident (OCCI) checklist to maintain business continuity even amid an extended enterprise outage, HSCC explained. The checklist, created by the Incident Response/Business Continuity (IRBC) Task Group of the HSCC’s CWG, is meant to serve as a living document that can be altered based on stakeholder feedback and experience.

“As the IRBC Task Group was being stood up, it was clear that geopolitical tensions from the Ukraine-Russia conflict were introducing a higher threat level to the health sector, calling for heightened awareness and immediate preparations against potential disruptions to health care delivery,” the document began.

“Accordingly, through the IRBC TG the HSCC created this tactical checklist with an accelerated development cycle to anticipate the potential for an extended outage in the event of direct cyber-attacks or collateral fallout and put it into the hands of our stakeholders as quickly as possible.”

In late April, the Cybersecurity and Infrastructure Security Agency (CISA) once again sounded the alarm on Russian state-sponsored cyber threats. CISA urged critical infrastructure to patch all systems, secure Remote Desktop Protocol (RDP), and implement multifactor authentication.

Even without a direct cyberattack against US healthcare organizations, the American Hospital Association (AHA) suggested that the sector could become collateral damage to Russian-deployed malware.

With geopolitical tensions in mind, HSCC’s guide tackles the possibility of a “prolonged massive disruption,” which it defined as an incident that potentially impacts patient safety and clinical workflows.

HSCC split up its guide based on various roles within an organization. For example, an “incident commander” should be appointed to provide “overall strategic direction on all site-specific response actions and activities.”

In this position, HSCC recommended that the incident commander first identify the scope of the incident and establish a cadence and process for coordinating with IT and cybersecurity teams. Within the first 12 hours, the checklist suggested that organizations activate downtime plans and communicate with partner organizations about downstream impacts.

Meanwhile, the assigned medical-technical specialist should engage with risk management and legal experts to advise the incident commander on appropriate response measures and compliance actions.

The public information officer serves “as the conduit for information to internal and external stakeholders, including site personnel, visitors and families, and the news media,” the checklist explained.

The public information officer should receive briefings and develop internal and external communications and crisis communication plans. The officer should also collaborate with public relations (PR) professionals and provide information to media outlets.

Other suggested roles included a liaison, a safety officer, a finance section chief, and a logistics section chief to perform various recovery duties. The roles accounted for recovery time objectives, communications, and even ensuring that food and water would be available for patients, staff, and visitors.

Implementing a cyber incident response plan is required under HIPAA, but the recent uptick in cyberattacks suggests that organizations should be even more prepared to put their plans to use. Thinking through each element of incident response and recovery and determining roles and responsibilities can help organizations maintain business continuity even in the middle of a cyberattack.

Next Steps

Dig Deeper on Cybersecurity strategies