For healthcare organizations that were affected by a data breach or other attack, there isn't a universally agreed-upon...
process for responding to a breach. Despite a growing quantity of security breaches in healthcare settings, the differences among those breaches created some disparity between how healthcare facilities handle the aftermath of an attack or other loss of data. Assessing all the past actions taken after the discovery of a data leak or system breach can provide health IT executives with lessons they can use to guide their organizations to avoid some the common mistakes that plague healthcare data breach responses.
Being a victim of a cyberattack is a stressful and costly matter. The afflicted organization will likely face public criticism and legal implications. There are extra implications within healthcare because there are specific laws that inform medical facilities how to notify the federal government and the public of a breach of their systems. Outlined in sections 45 CFR §§ 164.400-414 of the HIPAA Breach Notification Rule, affected healthcare groups are required to provide notifications following a breach of unsecured protected health information.
Over time, organizations such as hospitals, payers and other covered entities defined their healthcare data breach responses, making those part of their HIPAA readiness. Procedures for how IT should address a crisis as well as which outside sources should be contracted are two of the steps that are often taken after data breaches in healthcare facilities. The following are some areas that have not always been high priorities after a breach, but should be to prevent future attacks.
Where to start when reacting to security breaches in healthcare
Focusing on the systems that caused a breach
While it is a top priority to immediately eliminate the malware, Trojan or root cause of the breach, several security experts agree that most attackers leave different harmful applications behind that will remain dormant for period of time. This is done so the perpetrators can continue their criminal activities later on. When the response team works on eliminating the rogue application or detected vulnerability, they must perform a thorough investigation to ensure nothing malicious is left in the environment that can result in future damage.
Password changes are not always the answer
When an organization responds to a data breach that is caused by inappropriate administrative access into systems, the first step is always to reset or disable the accounts that were compromised. While that may temporarily address the issue, the threat is far from over. Attackers are usually able to discretely access additional administrative accounts or have their malware run under local administrative accounts. This process allows their tools to run without the need for account passwords.
Scanning only the affected systems
During the aftermath of a serious cyberattack, a thorough scan of the infected environment is usually conducted. Servers and power user stations are often the first endpoints that are checked to confirm they are clean. However, most cybercriminals can hide their tools in unsuspected areas such as laptops or workstations. There is also a common hacking practice where hacking tools communicate to different locations outside of the breached organization, and the hackers frequently switch endpoints to avoid detection by traffic monitoring tools.
Security upgrades to future-proof the environment
There is a common misconception that adding security products will help detect future breaches and deter cybercriminals. Sometimes changing internal security processes and using the existing security can be just as effective in preventing attacks. For example, Microsoft operating systems offer a wealth of security and event monitoring capabilities that can detect endpoint anomalies. Security events tracked with Windows machines can be centralized and monitored. Groups such as the National Security Agency have published tips to help organizations effectively use and monitor the safety their existing systems.
Engaging more than security response specialists
In the event of a breach, the natural reaction is to call in the experts to deal with the situation, especially when it's the first time the organization experiences an IT emergency. Bringing in an outside team that is trained to respond to breaches to assist the internal IT department is a critical step, particularly if the IT team isn't experienced in dealing with data breaches. After security breaches in healthcare organizations, it's important to reach out to their business associates and other covered entities to see if they have any advice to offer and check that those other businesses systems' haven't also been compromised. Companies such as Dell, Hewlett Packard Enterprise, IBM, Microsoft, Amazon and EHR vendors offer the services of breach response teams and additional tools that can help an organization recover in the wake of a security incident.
During a breach, most response efforts are focused on eliminating the threat, identifying the scope of the breach and putting systems in place to immediately reduce the risks for the future. An affected organization must recognize that there will always be some risk for a future breach no matter how many products or security policies are in place. The best thing to do is to identify any technical and procedural changes that can help stop repeat attacks. Hackers' methods for breaching systems are constantly changing, and security experts and IT departments must remain alert to stay ahead of these criminal activities.
Hospital network works with outside firm to bolster security
Insulation against data breaches starts with internal health IT teams
Encryption is a security asset for HIPAA covered entities