An incident response plan is an organized method for preparing and managing a security breach or cyber attack. The goal is to handle the circumstance in a way that limits damage and reduces recovery time and costs. There are six sequences in an incident response plan: preparation, identification, containment, eradication, recovery, and follow-up. All must be completed for the incident to be considered successful. While “plan” is a noun but is also a verb. The plan should evolve regularly.
The six sequences broke-down:
Preparation – For me, the essential component is the preparation phase. Conducting a SWOT (strengths, weaknesses, opportunities, threats) analysis gives the foundation to build the plan. This part is where you ensure understanding the depth of and resources needed to combat the threats. Based on the analysis, a team of internal made-up of IT, administrators, legal, human resources, insurance public relations with specialized outside vendors on the list. InfoSec software such as EnSilo Endpoint and Attack IQ should be researched, purchased, and tested during this phase. An inventory of all devices as well as permissions can be collected by software and should be updated regularly. Training will occur during this phase testing both the system and people for readiness.
Identification – Once red flags go up due to increased activity on the network or staff has mentioned either clicking on a link, etc. causing concern, the identification of the situation occurs. During this phase, an examination of the events, analyze, and determine if there is an incident. The specialized software assists in the investigation identifying the threat. Interviews of users are conducted.
Containment – During this phase of the incident response, the goal is to eliminate further damage. There are two goals during this phase which are stopping the communications with threat actors such as hacker or botnet. This is where the system is isolated to cease the spread of the threat with some of the methods being low-tech like unplugging the network cable to creating ACLs on routers or firewalls restricting packets through them. For a forensics analysis, it is crucial to get a copy of the file system and memory utilizing a forensic computer along with EnCase Forensic Software version 8.09 and Safe Block Win7, a software write blocker, to examine the network and infected devices ensuring a successful copy verified by an MD5 or SHA hash algorithm. The second goal involves applying patches to the affected system and other similar systems. At this point, passwords are changed, and firewall rules added as well as the removal of compromised accounts. At this point, if an attack has happened then, law enforcement should be contacted and information shared.
Eradication – Using the forensic analysis obtained during the containment phase, the system and devices are cleaned. Software such as Attack IQ can help identify the threat. Once the system has been purged of the risk, use the most recent clean backup to restore the system.
Recovery – This is the last system related phase where it is tested to bring the system back online then monitoring of the performance occurs to ensure there is no compromise. I would add during this phase is where stakeholders would be informed if a data was lost.
Follow-Up – The final of the incident response plan. It is the “lessons learned” part when the response team debriefs. A report outlining “the who, what, where, how, and what we did about it” is created. The report should include recommendations to prevent future attacks by the same method.
Every healthcare enterprise needs to have an incident response plan. It isn’t the question about if an attack will happen, it is about when it will. During an incident, like with any crisis affecting business continuity, a practiced plan must be in place because the more time spent figuring how what to do is time taken away from mitigating the situation. The longer time used, the more trust lost and the reputation affected. Levels of trust correlate with spending. There is a financial impact when trust erodes. Less confidence in the ability to protect data means consumers are less likely to spend their money on your services and products.
In the field of healthcare, trust is paramount. While consumers with all levels of trust from low to high increased spending over 12 months, the low-trust consumer spending was a slower rate and 15 percent decreased their spending compared to high-trust who only reduced spending by 4 percent. Combine less spending by consumers with the cost of recovering/restoring patient records lost in a data breach is about $408 per record according to a recent Ponemon report.
Healthcare organization that underinvest in cybersecurity and do not take patients’ perception will find their profitability negatively affected.