Getty Images/iStockphoto

Guide to Healthcare's Security Tactical Crisis Response, Amid COVID-19

HSCC and the H-ISAC jointly shared tactical guidance for the healthcare sector on how to manage cybersecurity threats that arise amid an emergency, such as COVID-19 pandemic.

The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) jointly released guidance for healthcare entities, on ways to manage their cybersecurity tactical crisis response during an emergency, such as the COVID-19 pandemic.

The Joint Cybersecurity Working Group of HSCC is a private-public partnership of healthcare entities and providers, including over 260 medical device and health IT companies, direct patient care entities, and others.

The guidance was developed amid the COVID-19 pandemic, which HSCC noted resulted in a rise in telemedicine visits and telework. As the crisis worsened, hackers have moved to take advantage of the chaos to deploy phishing, fraud, malware, and domain attacks.

“While the COVID-19 pandemic has fundamentally changed the landscape, it’s not unusual to make sudden and drastic changes to technology platforms that support an organization’s crisis management activities,” the report authors wrote. “These changes can introduce new vulnerabilities and new attack vectors.”

“Coupled with an increase in threat activity, organizations can be left with a perfect-storm scenario that gives and advantage to the threat actors,” they added.

Smaller providers can leverage the Health Industry Cybersecurity Tactical Crisis Response Guide as a resource for activities to consider for their security programs, while larger organizations may find the guide to be a “sanity check” for their existing emergency response plans.

The guidance is divided into four focus areas: education and outreach considerations when engaging the enterprise; considerations for enhancing prevention techniques; detection and response techniques; and considerations for helping the overall workforce with these plans.

“During a crisis, technology, processes and even the way we work can change on a dime,” Erik Decker, University of Chicago Medicine’s chief information security and privacy officer, and a co-lead of the report’s task group, said in a statement. “This opens up brand new attack surfaces, and the vulnerability from malicious cyber-attacks increases as well.”

“To thwart these attacks before they occur, it’s essential for healthcare organizations to analyze, establish, implement, and maintain cybersecurity practices that are responsive to the crisis at hand,” he added.

For the educational aspect, organizations can leverage the guide to develop communication plans, improve response times, and maximize overall enterprise cybersecurity plans, which will provide stakeholders with transparent and timely communications during times of crisis.

There should be a communication plan for IT leadership, clinical leadership, external parties, as well as the entire workforce. The insights provide step-by-step methods for building each of these elements, tailored to the role of the user.

Organizations can also use the guide for policy and procedural review considerations, as “in the event of a crisis, policies might be adjusted, relaxed, or have exceptions.”

“Consider that exceptional circumstances might pressure existing policy structure,” the guide authors wrote. “Though it is important for cybersecurity teams to be flexible with the organization, they also, at a minimum, must track these exceptions during any crisis to guide the organization back to normalcy once the crisis is over and inform continuous improvement processes.”

For prevention methods, entities will find insights on ways to limit the potential attack surface through vulnerability management, accelerated patching, and endpoint management.

Notably, the guide contains detailed methods for bolstering the remote access currently being fueled by the Coronavirus crisis. Organizations are again reminded to employ multi-factor authentication (MFA), which Microsoft has shown blocks 99.9 percent of automated cyberattacks.

Healthcare entities can also leverage the resource to learn the best ways to leverage threat intelligence feeds, given the threat environment rapidly changes during a crisis. HSCC and H-ISAC also provided a list of available resources to help bolster privacy and security programs, overall.

The last section focuses solely on caring for the team during times of crisis, including employee well-being and ensuring leaders are performing self-assessments that evaluate how an organization is handling the crisis.

This is the second HSCC guidance released in the past week; the first detailed best practice ways to protect healthcare trade secrets and research from cyber theft. In the last year, HSCC has provided healthcare with insights on cybersecurity staffing, cyber threat information sharing, and supply chain management, among other topics.

“The HIC-TCR was developed by a team of seasoned practitioners in healthcare who have offered their experience and expertise in cybersecurity incident response to provide other healthcare organizations with a roadmap of important things to consider when either developing or refining an incident tactical response plan,” Denise Anderson, President of the H-ISAC, and task group co-lead, said in a statement.

“While every plan has to adapt to the needs of each situation and each organization, there are solid basic best principles that should be adopted, and this guide is a great tool to use,” she concluded.

Next Steps

Dig Deeper on Cybersecurity strategies