Introduction to Incident Response
If you’ve ever suffered a breach, you know what it’s like to work furiously to stop the cyber bleeding, find where your defenses need reinforcing, and enhance your organization’s threat detection quickly to prevent something similar from happening again. If your cyber incident resulted from a cyberattack or ransomware, the likelihood that the attackers will return for more is high—the FBI has issued warnings about cyber attackers targeting the same victim in close date proximity.
If you’ve been able to evade cyber attackers to this point, congratulations, that’s hard to do. Still, at some point, it’s likely a bad actor will get motivated enough to find a way through your controls and safeguards. If this happens, your incident response and resiliency planning can pay off big in helping you shut down the attack quickly and minimize the disruption and damage to your organization.
This Clearwater guide is here to help you through the most important pieces of incident response planning, active incident response, and the successful recovery of your data and return to normal business operations.
Key Terms
Alerts: These are notifications generated by security systems or tools indicating potential security issues. Alerts often signify a specific trigger or detection of suspicious activities that might pose a threat. They act as initial warnings that something potentially harmful or anomalous has occurred or is ongoing within a system or network.
Events: Events refer to any observable occurrence within a system or network. These could be generated by various sources like applications,
devices, or security tools. Not all events signify a threat; they are recorded activities or observations that might be of interest for security
monitoring purposes. Events become significant when analyzed in context and correlation with other data to identify potential security incidents.
Incidents: Incidents are confirmed, actionable security events that indicate a security breach or compromise. These events have been assessed and verified to pose a threat or cause harm to an organization’s assets, systems, or data. Incidents often require immediate investigation, response, and mitigation to contain the impact and prevent further damage. They represent a level of severity that demands specific attention and action to resolve and remediate.
Crafting a Killer Incident Response Plan: Find and Contain It Before It Becomes a Material Event
Timing is Everything
The first four hours are critical to stopping an attack, responding, recovering, and resuming operations as quickly as possible with minimal disruptions. Making the most of these golden hours requires more than just an incident response plan—it requires your organization to have rehearsed and tested your response so everyone knows their specific role in helping stop the attack and minimizing the damage. Here are 6 tips to ensure your incident response plan is always incident-ready:
- Establish an incident response framework you can build upon or improve over time
Your incident response framework should include the complete lifecycle of an incident. Based on NIST SP 800, here are a few areas you’ll want to ensure are included in your framework:
- Preparation: Maintain and improve incident response capabilities to minimize the likelihood of occurrences through effective management of third-party hosting services, systems, networks, applications, and processes that ensure the confidentiality, integrity, and availability of data.
- Detection: Once you’ve determined an incident has occurred, what steps will you take to confirm, classify, and prioritize the response? Here are a few common ways incidents may be detected:
- Reporting by a workforce member
- Intrusion detection system/ intrusion prevention system
- Monitoring, such as a security information and event management (SIEM) system
- Endpoint protection, for example, the ability to lock down laptops, smartphones, tablets, and other devices once you discover an incident
- Triage: Your initial triage stage will determine the incident severity and response level and help you establish priorities for the next steps.
- Incident Analysis: Seek out indicators of compromise to determine the root cause and establish appropriate actions for resolution
- Containment, Eradication, and Recovery
- Containment: Isolate or mitigate the affected system to contain what is occurring or prevent it from flowing outward. The goal is to limit the degree to which the incident can harm your organization and systems. Don’t forget about evidence gathering here. Evidence gathering is critical in preserving the chain of custody, which may be required as part of self-reporting or external investigation into your incident.
- Eradication: Remove threats. This is where you identify and mitigate vulnerabilities or other security issues, including removing latent threats such as malware, identifying and mitigating potential vulnerabilities or misconfiguration, and identifying other hosts that may be affected.
- Recovery: Incident analysis for procedural and policy implications. Gather metrics and incorporate lessons learned into future response activities and training.
- Remediation: Post-occurrence repair of affected systems, communication, and instructions to affected parties, including analysis that confirms you’ve contained the threat. Also, monitor and/or audit systems to ensure mitigation and remediation plans are in place, working, and effective. Be sure to detail related disciplinary actions for team members and document all needed changes for your existing policies and procedures with a plan to make those changes.
- Post-Incident Activity and Review: This happens after detection, analysis, containment, eradication, and recovery. Your goal is to review your response to determine what you can do to better respond to similar situations in the future.
This is not merely a linear process; after developing your plans and once you detect an incident, you’ll need to analyze it and enact your containment, eradication, and recovery protocols. However, before moving to your post-incident activity phase, you’ll need to loop through the detection and analysis phase again until you’re sure the incident has been resolved.
- Understand common occurrences and build them into your policies and procedures
By understanding some common categories of attacks or occurrences that your organization may encounter, you can plan better. This list can also help you mature and scale your existing response strategies.
- Unauthorized Access: This is when an individual or entity gains logical or physical access without permission to your network, system, application, data, or another resource.
- Denial of Service (DoS): An attack that prevents authorized network, application, or system functionality by intentionally disrupting services.
- Malicious Code: Successful installation of malicious software (e.g., a virus, worm, trojan horse, or other code-based malicious entity) that infects an operating system or application, excluding malware successfully quarantined by antivirus software.
- Improper or Inappropriate Usage: When an individual violates acceptable computing policies.
- Suspected PHI Breach: If an occurrence involves protected health information (PHI), it must be reported, even if just suspected.
- Suspected Loss of Sensitive Information: An occurrence that involves a suspected loss of sensitive information (not personally identifiable information) that occurred as a result of unauthorized access, malicious code, or improper (or inappropriate) use, where the cause or extent is not known.
3. Know your environment
Knowing how cyber attackers are targeting healthcare organizations can help you predict who might be coming for yours and how they plan to do it. Effective incident response requires that you know your environment—both within your organization and the industry at large.
Stay current with alerts and relevant (and trustworthy) industry news about potential incidents and disruptions.
While your incident response lifecycle can help you learn more about maturing your plans based on what you learn within your organization, you can also build stronger plans by reviewing what other organizations have experienced, how they responded, what worked, and what didn’t.
4. Don’t silo incident response
Incident response plans often reside with information security or cybersecurity teams; those team members bear response responsibility, even if the incident goes beyond their expertise or requirements.
That’s why it’s important to not silo your incident response within a single team or department. Instead, establish a cross-functional incident response team (IRT) to ensure core areas of responsibility and ownership are represented.
Don’t limit your IRT exclusively to your internal team members. For some response types, you may also need input and support from external stakeholders, for example, board members or third-party vendors. A cross-functional team can ensure an integrated strategy for your incident response plans.
Here are some members to consider for your IRT:
- Privacy officer and security officer
- Human resources manager
- Legal counsel
- Senior management
- Board of directors
- Internal investigator(s)
- Affected system or operations representative(s)
- Marketing
- Public relations
- Finance/accounting representative(s)
- Call center operations
- Other departments/people deemed appropriate
Once you’ve determined the right representation for your IRT, here are some key responsibilities to tackle:
- What happens when the incident rises to the level of a breach?
- Who conducts the breach risk assessment?
- Who notifies affected individuals?
- Who notifies HHS OCR?
- Who notifies the media, if applicable?
- Who notifies state agencies, if required?
- What happens when OCR investigates?
5. Dust off your shelf
Incident response is not a “one-and-done” process. To remain resilient, you must continually review, adapt, and improve your incident response protocols. One way to do that is to routinely unpack your plan, pull it off the shelf, and put it to the test. Here are a few ways you can test your incident response plans:
- Paper test: A detailed walk-through includes validating your vendor call and notification lists and reviewing end-user procedures.
- Tabletop exercises: Review your response plan to determine how effective your plan is for responding to various scenarios.
- Technical restoration activities (including alternate site activities): For example, can your team access previous backups to restore systems if you experience a data loss? You could also test your team’s ability to switch specific operations from your primary site to an alternative site and back again to determine if you can effectively respond and maintain operations for critical systems and services.
- Supplier facility and or service tests: Conduct tests in conjunction with vendors to ensure both you and your vendor respond as you’ve determined in your contracts, business associate agreements (BAAs), service level agreements (SLAs), etc.
6. Come full circle and do it again
It’s important to align your plans with the incident response lifecycle because effective incident response is ongoing. To remain resilient, you must come full circle with continuous planning, reviews, testing, and updates.
Post-incident activity reviews are key to driving your success and adopting improvements. You can also use those results to improve employee training and internal and external communication strategies. By reviewing your lessons learned, you can continuously mature your incident response strategies to decrease disruptions and downtime and improve operational resiliency.
Three Critical Components of Active Incident Response
When your organization is in the heat of the attack, your incident response plan should be so tested and well-tuned that your teams can quickly and accurately respond—even as the attack evolves around them. Remember, most attackers have already run recon on your systems and network. They’re actively anticipating how you will respond and are looking for backdoors and workarounds to circumvent your response tactics. These three key steps can help you keep pace.
- Be Quick: Speed is critical. Once you’ve identified your threat, keep your eyes on every movement and be prepared to engage every time a tactic evolves or pivots. Keep your eyes up—and on—the threat actors to ensure your teams, for example, your MSP/MSSP, legal, incident response, security operations center (SOC), etc. can be proactive to a reactive situation.
- Active Defense: Ensure your teams have the correct tools, processes, and resources to manage an active defense to the attack.
- Preserve: It’s all about documentation and evidence capture. If you face legal or compliance actions due to a cyber incident, you must be able to document what happened, the steps you took, and the outcome of every step of your incident response strategy. For example, the Office for Civil Rights (OCR) will want to see that you executed the data security and privacy strategies you reported. Failure to do so could lead to higher penalties or other punitive actions. This is also a learning opportunity your teams can use to improve future response plans.
To Pay or Not to Pay (the Ransom Demand)?
The long-standing ethical directive, “do no harm,” and the situational urgency of care put healthcare providers at a disadvantage against their ransomware attackers. If caught unprepared, healthcare organizations may have to make the call to pay the ransom. However, even when paying the
ransom, organizations should assume that sensitive data has been exfiltrated even as attackers provide the encryption keys to release their hold. There are cases when attackers have executed double and triple extortion tactics, some contacting the patients directly and threatening data exposure if the individual’s ransom is not paid. Managing ransomware risk should focus on all avenues to mitigate this threat because it’s never as
simple as paying or not paying the ransom as some believe.
Limiting Your Liabilities and Understanding Your Legal Risk
Beyond disrupting patient care and tarnishing your organization’s reputation, breaches and ransomware attacks can put your organization at risk of regulatory actions and/or lawsuits. If you’ve recently suffered an event, understanding your legal risks and how to stay ahead of them is a critical component of your incident response plan.
Start by engaging your legal counsel right away. There are many misconceptions about the legal implications of a ransomware attack, and consulting legal counsel immediately can help your organization address these misconceptions and navigate the complex legal terrain accompanying such incidents. One advantage of engaging your legal team immediately is establishing legal privilege. While engaging consulting firms for forensic work may compromise that privilege, involving them through legal counsel allows the potential for privilege protection. Understanding the cyberattack isn’t necessary to engage your organization’s attorneys; their role is to guide your organization through the legal
complexities.
Your legal counsel will also be helpful in reviewing and understanding your cyber insurance policies before an incident occurs, as well as navigating the nuances of your coverage. Patching is a good example here; it’s important to understand if your cyber insurance carrier will consider you liable if there’s an available patch that hasn’t been implemented or if a patch is partially deployed at the time of the incident.
While you’re engaging your legal team, you should also be pulling your compliance team into the mix.
This group has important insight into state or federal data privacy and security regulations and requirements. Depending on the size and
impact of the incident, your board, c-suite, and human resources department should all be notified early so they can execute their roles
in your incident response plan.
Retain and Protect Evidence
Regardless of the size of the incident, ensuring evidence is protected is critical. While it’s tempting for IT teams to erase entire systems and start over in the name of quick mitigation and the protection of enterprise systems, this can backfire quickly when litigation or state or federal law requires evidence of what happened and how the organization responded. In a March 2023 podcast episode for AHLA, Iliana Peters, Former Deputy OCR Director and Shareholder with Polsinelli, talked about the critical nature of preserving forensic evidence in cyber incidents and shared the following example.
A HIPAA covered entity or a business associate must presume a breach unless it can specifically determine what information a threat actor accessed while in its systems. This means what they interacted with while they were in various systems, such that the organization can understand the risk to that data. If an organization has wiped all of the activity or all of the forensic breadcrumbs, then they can’t determine what that threat actor did while they were in the systems. And as a result, they have to assume that they touched everything. There are many reasons that this scenario should be avoided.
Iliana recommended that sandbox systems are utilized so that when an organization must take systems offline, they can make sure the evidence is maintained secure while the IT team continues to remediate. The goal is to get back online in a safe way, where the threat actor is no longer able to interact with systems while keeping the information that’s needed to understand the scope of what the incident looked like.
Reporting Requirements
Depending on the nature and size of the breach, you’ll have to file various reports about what happened, how you responded, timeframes, and results. Each compliance and regulatory agency has different requirements on when you must make these reports, so be well-versed in timetables before an incident happens and include reporting mechanisms in your incident response plans.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires all critical infrastructure organizations, which includes healthcare, to report cyber incidents to the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency within 72 hours. Organizations are also required to report ransomware payments within 24 hours of making any payments due to an attack.
In addition to federal reporting requirements, states may have additional and/or different reporting requirements related to breaches and material cyber events. In late 2023, New York proposed new cybersecurity requirements for all state hospitals that include reporting a cyberattack within two hours of discovery. While the requirements are still under review and hospitals will have twelve months to comply with the final rule, the reporting
requirement will be effective immediately.
The SEC also issued new requirements for public companies in 2023, including disclosures about material cyber incidents. This disclosure includes reporting the “material aspects of the incident’s nature, scope, and timing” and its “material impact or reasonably likely material impact on the registrant.” The new disclosure is an additional component of Form 8-K and is typically due within four business days of the registrant determining that an event is material.
While many, if not most, healthcare organizations are private companies or not-for-profit, it’s important to stay current with the SEC’s new requirements around cybersecurity for a number of reasons, but possibly most important is that the SEC has the authority to investigate all companies that seek to raise capital from U.S. investors. Additionally, most private companies are part of public company supply chains, so
while the SEC may not be looking to hold your organization to its new ruling, your customers and public company stakeholders may. Bob Chaput, Clearwater Founder and Executive Chairman, wrote more about this topic in an article for the American Health Law Association. You can read the full article here.
Cybersecurity Insurance
Cybersecurity insurance is critical to helping your organization recover losses from a cyberattack and minimizing the impact on the organization. But what was once just a few questions to secure a policy are now applications and questionnaires that span many pages.
Just a few years ago, healthcare organizations could easily get insurance with limited underwriting information. Carriers wanted to build their books, and cyber insurance premiums were affordable. But that began to change in 2020 with the rise of ransomware attacks and increased ransomware payouts and claims.
Historically, ransom payments were in the tens of thousands of dollars, with the occasional payout exceeding $100,000. Yet, it didn’t take long for threat actors to realize they could further monetize their criminal activity by launching more widespread ransomware attacks. As payouts and claims increased, carriers looked for corrective actions; for example, they started to sublimate coverages like cyber extortion. Ransomware coverage changed and, in some cases, was completely excluded from policies.
Today’s cyber insurance providers won’t just take your word that you’ve implemented mature cyber hygiene practices. They want you to demonstrate and document what you’re doing alongside ongoing validation processes. One small misstep or inaccuracy could mean your coverage won’t pay out when you need it most.
Top 10 Controls to Get Coverage and Support Claims
So, how can you ensure everything is in place before applying for cyber insurance? The following recommended list of 10 cybersecurity controls may help you get coverage and prove you were doing what you said you would do should you have to file a claim.
While each cyber insurance provider will have unique requirements (so be sure to read all the fine print in your policy), HUB International’s Senior Vice President, Technology & Cyber Leader Nate Hansen recently shared the following best practices on a Clearwater webinar as most cyber insurance carriers will require these:
- Multi-factor authentication (MFA) for remote/email/privileged user/ cloud access
- Backups made offline from your main network
- Endpoint detection and response (EDR) tools
- Patch management procedures
- Remote desktop protocol (RDP) management/vulnerability scanning. It’s important to note here that almost every carrier now utilizes
some type of vulnerability scanning tool or process as part of their underwriting practices. They may use the results of those scans to
determine if your organization is eligible for coverage. - Incident response and business continuity plans
- Email security tools/privileged account tools (i.e. Privileged Access Management or PAM tooling)
- Cybersecurity awareness training, for example, phishing and social engineering exercises
- Internal and/or external 24×7 security operations center (SOC)
- End-of-life software segmented from your main network
As ransomware and other attacks become more complex, it becomes trickier to understand exactly what you may need from a coverage perspective and how that might apply to your organization. In addition to the controls listed above, it’s also important to stay current on emerging trends across the threat landscape.
If you currently have coverage, don’t wait until your policy is about to expire before thinking about a renewal. Your needs and your insurer’s coverage and claim requirements may have changed. To ensure you’re getting the best rates for the most reasonable and appropriate coverage for your organization, set aside a couple of months to shop around, have important conversations with potential insurers, and ensure you have everything in place—and that it’s documented and accurate—to complete the application process.
If you’re new to this process or want to ensure you have industry-recognized controls that work as designed, consider partnering with a cybersecurity risk analysis professional who can help you take a more comprehensive look at your organization’s unique risks and offer
advice and support on how to remediate them. With the help of a trusted partner, you can build confidence that you know what your risks are and you’re proactively mitigating them.
Go Forward and Stay Vigilant
This fight is never over. It’s tempting for organizations to claim victory after a cyber incident is resolved, ousting the attacker and putting new controls in place, only to grow complacent over time. But cyber attackers are relentless, and they will try again.
So, how do you get started and maintain a strong cybersecurity program?
First, be ready. Long before a cyber incident happens, have authentic conversations across your response teams about how ready you are to respond to an attack. Solicit feedback from all of your teams. Create a trusting environment where respondents can be honest about their opinions. Listen and draw on that feedback. Even if your testing and tabletop exercises build confidence that your incident response plan is effective and will work, never stop those activities as your attack surface and threat landscape is constantly evolving. Don’t shy away from critical feedback. If your teams feel you’re not ready to respond, ask the hard question: What do we need to do to get there? Then, adjust your response plans accordingly and test again.
Second, evaluate the investments your organization is making into cybersecurity and your incident response plans.
Have you made the appropriate financial investment as well as in terms of personnel, tools, resources, and external support?
- Do you need to invest more to mature your cybersecurity practices and strengthen your program?
- Could you benefit from working with security and incident response consultants to ensure you’re maximizing your investments for the most effective and timely response?
- Do you have a solid understanding of business risk? How would your most critical operations be affected by a cyber incident and what would the impact of downtime or loss be on your operational resilience?
- Have you properly trained and educated your staff and key stakeholders about cyber hygiene and response protocols?
Finally, be your own first responder. In the heat of a cyber incident, your organization will have to save itself first. That means always having a plan and routinely conducting training to ensure your teams are always ready. Once your plan is activated, you can connect with the appropriate resources for additional support to ensure a successful response.
Effectively planning for incident response is no small task. It’s not just about ensuring your organization follows a specific framework or that you’ve implemented the appropriate controls—those are critical steps, but they’re just the beginning. Effective incident response requires a clear understanding of your cyber risks and correlates them to actual business risks. With this understanding, your teams can strengthen your plans to always know how to prioritize response and recovery actions to decrease the impact on your business.
According to IBM’s 2023 Cost of a Data Breach report, organizations with both an incident response team and incident response plan testing identified breaches 54 days faster than those with neither.
If you’re not confident your current incident response plans can adapt to the rapidly changing threat landscape or if you’re struggling to keep pace with your ever-expanding attack surface, consider working with a healthcare cybersecurity and incident response consultant who can help you conduct business impact and risk analyses to help you better understand your business, cyber, and compliance risks, and ensure you’re building effective response plans so you’re ready when your organization faces your next cyber event.