Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sample Incident Response Plan

1,606 views

Published on

Sample Incident Response plan for a fictitious hospital.

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

Sample Incident Response Plan

  1. 1. Kevin Mitnick Memorial Hospital’s Incident Response Plan Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University February 23, 2017
  2. 2. 2 Contents Introduction…………………………………………………………………………………..........3 Overview of the Incident Response Plan…………………………………………………….........3 CHAPTER ONE. Preparation…………………..…………………………………………............4 Develop a CSIRT……………..………………………………………………….…...........4 Conduct Employee Training……………..…..………………………………….…...........5 Use Best Practices………...…..………………………………………………….….........6 CHAPTER TWO. Detection………….……………………………………………………...........6 Identify the Incident………………..…………...…………………………………............6 Analyze the Incident………….……………..…..…………………………………............7 CHAPTER THREE. Response…………………..……...…………………………………...........8 Preserve the Evidence………………....……………………………………………..........8 Contain the Incident……….……….………..…..…………………………………...........8 Remove the Threat…….....…..……..………………………………………………..........8 Recover From the Incident………...………………………………………………............8 CHAPTER FOUR. Post-Incident Activity...…..……………….…………………………............9 Conduct an After Action Report………….……...……………...……………………........9 Report the Incident..…………..……………..…..…………………………………...........9 Conclusion………………………………………………………………………………………...9 Revision History…………………………………………………………………………………10 Appendix 1………………...………………………………………………………….................11 KMMHS Third Party Risk Assessment Form…………………………………………….11 Appendix 2………………...…………………………………………………………..................14 Blank Manufacturers Disclosure Statement for Medical Device Security Form..............14 Bibliography……………………………………………………………………………………..15
  3. 3. 3 Introduction The Kevin Mitnick Memorial Hospital located at 1492 Exploit Lane in Calabasas, California is a small twenty five bed critical access hospital. The facility has a twenty four hour emergency department and a lab that operates between the hours of 8:00 AM and 8:00 PM PST Monday through Friday. The facility utilizes MEDITECH version 5.6.7 as its electronic medical records system (EMR.) It also utilizes a Sunquest laboratory informatics system (LIS) in the lab that passes results to MEDITECH. The hospital employs a plethora of other medical devices including, but not limited to; Point of Care (POC) blood gas, urinalysis and glucose analyzers from various vendors that all send results to their Sunquest system via a Data Innovations interface engine. In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. It is no longer if a hospital will be attacked but when. In an environment where a medical record sells for ten times on the dark web what a credit card record does it is imperative that this medical facility create and implement a Computer Security Incident Response Team (CSIRT) to manage and oversee this facilities Incident Response Plan (IRP) and assure the protection of our customers Protected Health Information (PHI.) Overview of the Incident Response Plan The purpose of the Kevin Mitnick Memorial Hospital’s Incident Response Plan is to provide clear, concise instructions to each member of the hospital staff and business partners in response to an incident. The structure of this report utilizes the standard four phase incident response model of Preparation, Detection, Response and Post-Incident Activity. The first phase, Preparation focuses on establishing clear areas of responsibility for various hospital staff should an incident occur. The second phase, detection details how the hospital’s IT staff should stay vigilant against cyber threats. This includes what should be done should IT become aware of a potential threat as well as processes to be implemented for threat analysis. The third phase, Response details how the organization should respond to an identified incident which includes; the preservation of evidence, containment of a potential exploit, removal of the threat from the system and recovery after the threat is contained. The fourth and final phase, Post-Incident Activity details the actions to be taken after the incident has been mitigated including an after action report and any incident reporting.
  4. 4. 4 CHAPTER ONE. Preparation Develop a CSIRT A Computer Security Incident Response Team (CSIRT) is a cross disciplinary team created to bring in key personnel that will be needed to respond to an incident. The response team includes several members from the IT department including a system administrator, members from the database, network and security teams as well as representation form legal, HR, public relations teams and the executive suite. The database team is responsible to assure that the sites various SQL databases are regularly updated with security patches and secured against SQL injection exploits, a common healthcare threat vector. The network team is responsible for assuring that the hospitals various networks are properly cordoned off, utilizing firewalls and separate virtual local area networks (VLAN’s) and network partitions where applicable. In addition their responsibilities include regularly updating and properly implementing antivirus and antimalware software as well as port management which includes blocking unused ports and managing the facilities dynamic host configuration protocol (DHCP) network addressing structure. The IT security team is responsible for working in conjunction with the networking team to develop an all-encompassing security posture that is robust but not so secure that it affects the free flow of data across the hospitals networks. Their main role is education, specifically developing and training all hospital staff on good cyber and physical security habits. The legal department plays an important but often overlooked role in the development of the hospitals security posture. It is their responsibility to review and craft the third party vendor interface agreements that detail where the hospitals responsibility ends and a third parties begins when it comes to the hospitals various software and hardware interfaces that move data around its networks. HR’s biggest role in security is properly screening the hiring of new candidates, especially those that will maintain high levels of security clearance such as system administrators. They also play an essential role in assuring that all employees’ security trainings and documentation are up to date. Another responsibility of the HR department is to assure that access to all hospital systems is immediately revoked upon an employee’s termination of employment. The public relations team is responsible for communicating with the public and/or news media outlets should a breach occur. Per section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH,) in the case of a breach of more than 500 the public must be made aware via the news media.
  5. 5. 5 The executive suite is a key player in the facilities cyber defense structure. They are often a high value target specifically sought out by advanced persistent threats (APT’s.) They will undergo a higher level of security training than any other employee as they are not only the most targeted but also the primary decision makers in driving the organizations response to a threat. It is imperative to have representation from each of the hospitals internal third party vendor support staff on the team as they are the ones with key access and product knowledge that will need to be leveraged if an attack targets and compromises their application. Their input will be essential in helping IT and the executive suite craft an appropriate response to a threat. This includes key support staff from each of the various medical software applications on site including MEDITECH, Sunquest, Data Innovations and the Siemens Healthineers, Point of Care (POC) Rapidcomm software application. The applications support staff has access to these third party vendors via 24 hour phone and onsite support should that need to be activated. The team also includes contacts from key business partners that the organizations works with that regularly attend the group’s biweekly meetings as often an exploit is brought in by a third party vulnerability. Business partners include but are not limited to West Coast Recycling, data destruction company, Dell onsite desktop support, North Star Janitorial Services as well as Hiram’s cafeteria services. Business partners should not be overlooked in a hospital’s IRP as all of the above listed services have some level of potential access to protected data, be it on a decommissioned hard drive, paper record or even the dietary status board posted in the cafeteria that list allergies and dietary restrictions of patients. The involvement of third party vendors is essential to the facilities greater cyber defense strategy. For each third party interface a vendor interface form shall be completed by the vendor prior to connecting and submitted to the IT security team, see Appendix 1. The IT security team will then conduct a threat assessment to determine the risk associated with connecting one of the hospitals systems to the third party vendor. The interfacing products Manufacturer Disclosure Statement for Medical Device Security (MDS2) form and any other supporting documentation should be requested, kept on file and regularly updated by the vendor, see Appendix 2. The roles spelt out in this section of the report are far from all encompassing. They are meant to give all hospital staff a general idea of the roles and responsibilities of the various members of the CSIRT team. More in depth, user specific roles are addressed in role specific trainings. These roles and responsibilities are fluid and dynamic, constantly changing and adapting to address the ever changing cyber threat landscape.
  6. 6. 6 Conduct Employee Training All hospital staff are required to take a two hour security training within fourteen days of their hire date and additionally complete a one hour refresher training every six months. The training program, created by the hospital’s IT security team covers general physical and cyber security concepts such as how to create a strong password, reporting suspicious emails and not holding the door open for other hospital staff entering the hospital. In addition to this general training certain key members of the hospital staff take additional trainings provided by the SANS institute and facilitated by the IT security team. These include members of the executive suite that are often the target of phishing exploits, hospital IT on secure network configuration and others respective to job role. Use Best Practices In addition to the specific roles already laid out in the “Develop a CSIRT,” section of this report the following additional best practices should be observed by all hospital staff.  Minimum length and complexity requirements for system passwords  Regular system password expiration  Encrypt all outbound and internal email that contains PHI data  Assure all desktop PC’s lock screen after 5 minutes of inactivity is enabled  No holding the door for other staff The following best practices should be maintained by all hospital IT and informatics staff.  All laptops and mobile devices shall be encrypted  All systems must be regularly backed up fully once a week with incremental backups happening daily.  All system patches must be implemented per vendor recommendations  All systems should be pen tested annually  All systems should be fuzz tested annually
  7. 7. 7 CHAPTER TWO Detection Identify the Incident An incident is typically identified by one of the automated or manual security scans regularly conducted on the hospital’s various systems. Automated scans include both antivirus and antimalware that look for both black listed exploits and specific threat signatures that could detect a zero day exploit. Both of these applications are configured to immediately quarantine a threat should it be detected. Manual network scans such as the regular monitoring of network traffic via Windows logs or an application such as using Wireshark should be conducted on a weekly basis. Any abnormal network activity such as spikes in data entering or leaving the network should be reported immediately to the IT network and/or security teams. In addition to IT every employee is responsible for being on the lookout for suspicious activity and should report such activity immediately by dialing *511 on any hospital phone to be immediately connected to the security office. Analyze the Incident Qualification of incident severity parallels the standards laid out by the Health Insurance Portability and Accountability Act (HIPAA.) The three classifications are a direct reflection of the number of patient records affected. Category Number of Records Effected Minor 0 Significant 1 – 499 Critical 500 + Minor Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Significant
  8. 8. 8 Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Critical Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The highest ranking available executive team member will take the lead on this threat and coordinate communication. The PR Department will take the lead on drafting and delivering appropriate public news briefs regarding the situation as it develops. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. CHAPTER THREE Response Preserve the Evidence Preserving the evidence begins with preparing the necessary tools to analyze an exploit before it is reported. The IT department keeps two PC’s running Forensic Tool Kit (FTK) as well as other forensic tools for the immediate forensic analysis of a potential threat. Should you find suspicious activity on any hospital PC you should call the hospital security line at *511 immediately and report it. DO NOT TURN OFF THE DEVICE IN QUESTION as valuable forensic evidence could be lost by doing this. The IT Security team will work to contain any threat detected as well as make an image of any infected device for later forensic evidence that could be used in a legal case. Contain the Incident The IT department will be instrumental in containing the incident. The type of threat will largely dictate containment measures. If proper network segmentation and other security measures previously listed are in place the exploit should be relatively contained. After the
  9. 9. 9 required evidence is collected it is up to the IT department in conjunction with the application support team for the effected system to devise a strategy for further containment. It may be decided that the effected system should be taken offline but no decision should be made until at least a brief initial forensic analysis is done to determine what type of threat the incident entails. In many cases exploits are specifically crafted to be activated by an IT departments attempt to contain and mitigate them. This should be a consideration. Remove the Threat Based on the initial forensic assessment of the threat again, the IT team in conjunction with the application support team will devise and implement a strategy to fully remove the threat from the system. This could entail wiping the drive and restoring a backup, deleting a firewall’s quarantined files queue or any number of other measures specific to the threat encountered. Recover From the Incident The final step of the response phase is recovering from the incident. In most cases this will involve restoring a clean backup of the effected system but it’s also possible that new hardware may be need to be purchased if it cannot be assured that the exploit was successfully mitigated. Again, this will be at the discretion of the IT department in conjunction with the application support team for the effected system. CHAPTER FOUR Post-Incident Activity Conduct an After Action Report (AAR) After the incident is successfully mitigated the team should reconvene to discuss the incident and the team’s response to it. It is important to note that not every cyber threat can be foreseen and stopped. There is little that can be done about a zero-day exploit that sneaks past the facilities threat monitoring systems and manual detection process. It should be reviewed and discussed if such a threat was adequately quarantined by proper network segmentation. A known exploit that was allowed into the hospitals network because a firewall was not regularly updated or because a PC was running an outdated operating system is another story as that was a fully preventable incident and should be discussed as such and remediated. The entire facility should be notified about the breach and used as a learning opportunity.
  10. 10. 10 Report the Incident Per HIPAA, a healthcare facility is legally required to notify the public via a media outlet when a breach affects more than 500 individuals. The U.S. Department of Health and Human Services (HHS) must also be notified in the event of a breach of 500 or more records. The legal team is responsible for contacting and informing HHS while the PR is responsible for reporting the breach to local media outlets. Conclusion With the cyber threat landscape what it is today it is less a question of if a healthcare organization will be the victim of a cyber-attack and more a question of when The best a healthcare organization can do is create a robust IRP. One that is detailed enough that employees at each level of the organization know exactly what they are responsible for during an incident but not so unwieldy and specific that no one fully reads it or isn’t easily searchable. We believe that the Kevin Mitnick Memorial Hospital has created such a document with this IRP. It cannot be stressed enough though that the incident response plan must grow and evolve with the threat landscape. This is a living document that should be reviewed and revised at least twice a year and more so when necessary to address a specific advanced persistent threat (APT,) changing health legislation, etc. Revision History Revision Revised By Date Revised Next Review Date 1 2 3 4 5 6
  11. 11. 11 Appendix 1 KMMHS Third Party Risk Assessment Form In order to meet privacy regulations, The Kevin Mitnick Memorial Hospital system (KMMHS) must have the following information about the applications that are used to create, store, view, maintain or transmit our data. We appreciate your help in returning this form to us as quickly as possible. Feel free to attach diagrams or other supporting documents if they are relevant. The information you provide will be reviewed by KMMHS’s IT Department, Compliance Department and/or the IT Security Department. And your responses are confidential. Application Information Response What is the application name? What is the name of the company that provides the application? Who is the primary application contact for this third party interface at KMMHS?Who is the IT Security Team Manager contact for this application? Please describe how is the application used? Does this application create, store, view, maintain or transmit Protected Health Information (PHI), Personal Identity Information (PII), or Payment Card Information (PCI)? Yes No If the answer to the above question is “No,” please identify who completed this form Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ and STOP. If the answer is “Yes”, please continue.
  12. 12. 12 This section to be completed by the third party vendor. Completed by vendor contact: _________________________________________ Date___/___/___ Signature: _______________________________________________ User Authentication Controls Response Does each user have a unique login or identifier? Yes No Are users automatically logged off after some period of time? Yes No What is the automatic log off time period? (# of minutes)Are accounts automatically locked if there are failed login attempts? Yes No What is the number of failed attempts that are allowed before an account is locked? (# of attempts) Does the application require users to change their password? Yes No How often must users change their password? (# of days)What is the minimum password length? (# of characters)Are upper/lower case, numbers and special characters supported in passwords? Yes No Are passwords encrypted while stored? Yes No Are passwords encrypted when transmitted? Yes No User Authorization Controls Response Is user access reviewed and authorized before being granted? Yes No Is user access based upon the principle of ‘least privilege’? Yes No Are role based user profiles defined and used? Yes No Is separation of duties addressed when user access is granted? Yes No Is user access reviewed periodically to ensure that access is appropriate? Yes No Is there a process for removing access for terminated employees? Yes No User Access Monitoring Response Are user log on (successful and failed) attempts logged? Yes No Are user transactions (application activities) logged? Yes No Is log/audit trail data protected (files cannot be deleted or modified)? Yes No How long is log/audit trail data retained? (# of months)Is log/audit trail data reviewed periodically to detect anomalies? Yes No What is the frequency for log/audit trail review? (# of times per week)If an anomaly is detected, is an incident response process in place to investigate? Yes No Data Protection Controls Response Is the application data classified as “protected”? Yes No If data is classified as protected, is data encrypted while at rest? (stored data encryption) Yes No Is protected data encrypted while in transit? (data in motion encryption) Yes No What encryption standard is used? (for example: AES-128, AES-256, Triple DES)
  13. 13. 13 Is protected data stored within a database? Yes No What database is used? (for example: SQL Server, Oracle) Do you back up data on a regular basis? Yes No Is protected data stored or accessed from a thumb drive or other portable media? Yes No Do you have a process in place to destroy portable media that contains protected data? Yes No Do you allow personally owned devices to access protected data? Yes No Do you have processes in place to destroy protected data that may be printed? Yes No Is there a disaster recovery plan for this application? Yes No Do you have a plan to continue operating in case of an emergency? Yes No Do you have a process for testing and applying patches or updates to your systems and applications? Yes No Is there are process to identify and remediate application vulnerabilities? Yes No Please attach an application data map that shows the flow of all protected information. This section is to be used to document any comments or risks that are not easily explained when responding to the questions. Each numbered line is intended to be used for each unique discussion item. 1. 2. 3. 4. 5. 6. 7. 8. Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ Thank you for your help. To be completed by KMMHS. Reviewed By (IT Security Team Member Name): ____________________________________ Date___/___/___ Signature: _______________________________________________
  14. 14. 14 Appendix 2 Manufacturer Disclosure Statement for Medical Device Security Form
  15. 15. 15 Bibliography Verizon Enterprise Solutions “2014 Data Breach Investigation Report,” Catalan, Brandon, “ADJ-581 Principles of Forensics, Week 12, Crime Scene/Incident Procedures” Salve Regina University Cichonski, Paul, Millar, Tom, Grance, Tim, Scarfone, Karen. “Computer Security Incident Handling Guide; Recommendations of the National Institute of Standards and Technology.” National Institute of Standards and Technology:U.S. Department of Commerce, Special Publication 800-61, Revision 2. http://dx.doi.org/10.6028/NIST.SP.800-61r2 (accessed February 23, 2017) De Voe, Charles and Rahman, M Syed (Shawon), “Incident Response Plan For a Small to Medium Sized Hospital.” International Journal of Network Security & Its Applications, Vol 5, No. 2 (March 2013) Durkan, Jenny A., Cobb, Alicia, “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” The Cybersecurity Law Report, Vol 1, No 4 (May 2015) Federal Deposit Insurance Corporation, “Incident Response Programs: Don’t Get Caught Without One,” Supervisory Insights Forcepoint, “The Cost of the Unintentional Insider,” Forcepoint, Powered by Raytheon Hathaway, Melissa, “United States of America Cyber Readiness at a Glance,” Potomac Institute for Foreign Policy, (September 2016) Hau, Bill, “Incident Response:A New Model Needed,” 2013 Incident Response Survey Report, Information Security Media Group HIMSS, “2016 HIMSS Cybersecurity Survey,” Healthcare Information and Management Systems Society HIMSS, “Manufacturer Disclosure Statement for Medical Device Security (MDS2,”) Healthcare Information and Management Systems Society Imprivita, “The C-Suite Battle Plan for Cyber Security Attacks in Healthcare,” (2015). “Malware Trends; Industrial Control Systems Emergency Response Team (ICS- CERT) Advanced Analytical Laboratory (AAL,”) National Cybersecurity Communications Integration Center (October 2016) KnowB4, “Best Practices for Dealing with Phishing and Ransomware,” An Osterman Research
  16. 16. 16 White Paper, (September 2016) McArdle, Jennifer, “Developing an Effective Cyber Incident Response Plan Lecture,” Salve Regina University Murphy, Sean. Healthcare Information Security and Privacy. New York: McGraw-Hill, (2015) NIST, “Computer Security Incident Handling Guide,” Special Publication 800-61 (August 2012), Ponemon Institute,“The Cyber Resilient Organization: Learning to Thrive Against Threats,” (September 2015) Ponemon Institute (2016), “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.” Page 1-32. PWC, “Cyber Crisis Management: A Bold Approach to a Bold and Shadowy Nemesis,” (Aug 2011) Sans Institute,“Protection of Information Assets,” Info Sec Reading Room (2002). Siemens Healthineers “DX Privacy Incident Management Process Guidance.” H DX Product Security & Privacy Office (Revised June 30, 2014) Siemens Healthineers “Security Incident Report Form.” GP-099 DX-Product Security Common Procedures – Version 1.0 Verizon Enterprise Solutions “2014 Data Breach Investigation Report,” World Economic Forum, “Risk and Responsibility in a Hyperconnected World,” (January 2014)

×