Matthew J McMahon, profile picture
Uploaded byMatthew J McMahon
DOCX, PDF3,462 views

Sample Incident Response Plan

The document outlines Kevin Mitnick Memorial Hospital's Incident Response Plan with 4 phases: 1) Preparation establishes roles for a Computer Security Incident Response Team and employee training. 2) Detection details identifying and analyzing incidents through automated/manual scans and employee reports. 3) Response includes preserving evidence, containing/removing threats, and recovering from incidents. 4) Post-incident activities are conducting an after action report and notifying authorities/public of critical breaches. The plan provides guidance for different incident severity levels and protecting patient health information.

Embed presentation

Downloaded 93 times
Kevin Mitnick Memorial Hospital’s Incident Response Plan Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University February 23, 2017
2 Contents Introduction…………………………………………………………………………………..........3 Overview of the Incident Response Plan…………………………………………………….........3 CHAPTER ONE. Preparation…………………..…………………………………………............4 Develop a CSIRT……………..………………………………………………….…...........4 Conduct Employee Training……………..…..………………………………….…...........5 Use Best Practices………...…..………………………………………………….….........6 CHAPTER TWO. Detection………….……………………………………………………...........6 Identify the Incident………………..…………...…………………………………............6 Analyze the Incident………….……………..…..…………………………………............7 CHAPTER THREE. Response…………………..……...…………………………………...........8 Preserve the Evidence………………....……………………………………………..........8 Contain the Incident……….……….………..…..…………………………………...........8 Remove the Threat…….....…..……..………………………………………………..........8 Recover From the Incident………...………………………………………………............8 CHAPTER FOUR. Post-Incident Activity...…..……………….…………………………............9 Conduct an After Action Report………….……...……………...……………………........9 Report the Incident..…………..……………..…..…………………………………...........9 Conclusion………………………………………………………………………………………...9 Revision History…………………………………………………………………………………10 Appendix 1………………...………………………………………………………….................11 KMMHS Third Party Risk Assessment Form…………………………………………….11 Appendix 2………………...…………………………………………………………..................14 Blank Manufacturers Disclosure Statement for Medical Device Security Form..............14 Bibliography……………………………………………………………………………………..15
3 Introduction The Kevin Mitnick Memorial Hospital located at 1492 Exploit Lane in Calabasas, California is a small twenty five bed critical access hospital. The facility has a twenty four hour emergency department and a lab that operates between the hours of 8:00 AM and 8:00 PM PST Monday through Friday. The facility utilizes MEDITECH version 5.6.7 as its electronic medical records system (EMR.) It also utilizes a Sunquest laboratory informatics system (LIS) in the lab that passes results to MEDITECH. The hospital employs a plethora of other medical devices including, but not limited to; Point of Care (POC) blood gas, urinalysis and glucose analyzers from various vendors that all send results to their Sunquest system via a Data Innovations interface engine. In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. It is no longer if a hospital will be attacked but when. In an environment where a medical record sells for ten times on the dark web what a credit card record does it is imperative that this medical facility create and implement a Computer Security Incident Response Team (CSIRT) to manage and oversee this facilities Incident Response Plan (IRP) and assure the protection of our customers Protected Health Information (PHI.) Overview of the Incident Response Plan The purpose of the Kevin Mitnick Memorial Hospital’s Incident Response Plan is to provide clear, concise instructions to each member of the hospital staff and business partners in response to an incident. The structure of this report utilizes the standard four phase incident response model of Preparation, Detection, Response and Post-Incident Activity. The first phase, Preparation focuses on establishing clear areas of responsibility for various hospital staff should an incident occur. The second phase, detection details how the hospital’s IT staff should stay vigilant against cyber threats. This includes what should be done should IT become aware of a potential threat as well as processes to be implemented for threat analysis. The third phase, Response details how the organization should respond to an identified incident which includes; the preservation of evidence, containment of a potential exploit, removal of the threat from the system and recovery after the threat is contained. The fourth and final phase, Post-Incident Activity details the actions to be taken after the incident has been mitigated including an after action report and any incident reporting.
4 CHAPTER ONE. Preparation Develop a CSIRT A Computer Security Incident Response Team (CSIRT) is a cross disciplinary team created to bring in key personnel that will be needed to respond to an incident. The response team includes several members from the IT department including a system administrator, members from the database, network and security teams as well as representation form legal, HR, public relations teams and the executive suite. The database team is responsible to assure that the sites various SQL databases are regularly updated with security patches and secured against SQL injection exploits, a common healthcare threat vector. The network team is responsible for assuring that the hospitals various networks are properly cordoned off, utilizing firewalls and separate virtual local area networks (VLAN’s) and network partitions where applicable. In addition their responsibilities include regularly updating and properly implementing antivirus and antimalware software as well as port management which includes blocking unused ports and managing the facilities dynamic host configuration protocol (DHCP) network addressing structure. The IT security team is responsible for working in conjunction with the networking team to develop an all-encompassing security posture that is robust but not so secure that it affects the free flow of data across the hospitals networks. Their main role is education, specifically developing and training all hospital staff on good cyber and physical security habits. The legal department plays an important but often overlooked role in the development of the hospitals security posture. It is their responsibility to review and craft the third party vendor interface agreements that detail where the hospitals responsibility ends and a third parties begins when it comes to the hospitals various software and hardware interfaces that move data around its networks. HR’s biggest role in security is properly screening the hiring of new candidates, especially those that will maintain high levels of security clearance such as system administrators. They also play an essential role in assuring that all employees’ security trainings and documentation are up to date. Another responsibility of the HR department is to assure that access to all hospital systems is immediately revoked upon an employee’s termination of employment. The public relations team is responsible for communicating with the public and/or news media outlets should a breach occur. Per section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH,) in the case of a breach of more than 500 the public must be made aware via the news media.
5 The executive suite is a key player in the facilities cyber defense structure. They are often a high value target specifically sought out by advanced persistent threats (APT’s.) They will undergo a higher level of security training than any other employee as they are not only the most targeted but also the primary decision makers in driving the organizations response to a threat. It is imperative to have representation from each of the hospitals internal third party vendor support staff on the team as they are the ones with key access and product knowledge that will need to be leveraged if an attack targets and compromises their application. Their input will be essential in helping IT and the executive suite craft an appropriate response to a threat. This includes key support staff from each of the various medical software applications on site including MEDITECH, Sunquest, Data Innovations and the Siemens Healthineers, Point of Care (POC) Rapidcomm software application. The applications support staff has access to these third party vendors via 24 hour phone and onsite support should that need to be activated. The team also includes contacts from key business partners that the organizations works with that regularly attend the group’s biweekly meetings as often an exploit is brought in by a third party vulnerability. Business partners include but are not limited to West Coast Recycling, data destruction company, Dell onsite desktop support, North Star Janitorial Services as well as Hiram’s cafeteria services. Business partners should not be overlooked in a hospital’s IRP as all of the above listed services have some level of potential access to protected data, be it on a decommissioned hard drive, paper record or even the dietary status board posted in the cafeteria that list allergies and dietary restrictions of patients. The involvement of third party vendors is essential to the facilities greater cyber defense strategy. For each third party interface a vendor interface form shall be completed by the vendor prior to connecting and submitted to the IT security team, see Appendix 1. The IT security team will then conduct a threat assessment to determine the risk associated with connecting one of the hospitals systems to the third party vendor. The interfacing products Manufacturer Disclosure Statement for Medical Device Security (MDS2) form and any other supporting documentation should be requested, kept on file and regularly updated by the vendor, see Appendix 2. The roles spelt out in this section of the report are far from all encompassing. They are meant to give all hospital staff a general idea of the roles and responsibilities of the various members of the CSIRT team. More in depth, user specific roles are addressed in role specific trainings. These roles and responsibilities are fluid and dynamic, constantly changing and adapting to address the ever changing cyber threat landscape.
6 Conduct Employee Training All hospital staff are required to take a two hour security training within fourteen days of their hire date and additionally complete a one hour refresher training every six months. The training program, created by the hospital’s IT security team covers general physical and cyber security concepts such as how to create a strong password, reporting suspicious emails and not holding the door open for other hospital staff entering the hospital. In addition to this general training certain key members of the hospital staff take additional trainings provided by the SANS institute and facilitated by the IT security team. These include members of the executive suite that are often the target of phishing exploits, hospital IT on secure network configuration and others respective to job role. Use Best Practices In addition to the specific roles already laid out in the “Develop a CSIRT,” section of this report the following additional best practices should be observed by all hospital staff.  Minimum length and complexity requirements for system passwords  Regular system password expiration  Encrypt all outbound and internal email that contains PHI data  Assure all desktop PC’s lock screen after 5 minutes of inactivity is enabled  No holding the door for other staff The following best practices should be maintained by all hospital IT and informatics staff.  All laptops and mobile devices shall be encrypted  All systems must be regularly backed up fully once a week with incremental backups happening daily.  All system patches must be implemented per vendor recommendations  All systems should be pen tested annually  All systems should be fuzz tested annually
7 CHAPTER TWO Detection Identify the Incident An incident is typically identified by one of the automated or manual security scans regularly conducted on the hospital’s various systems. Automated scans include both antivirus and antimalware that look for both black listed exploits and specific threat signatures that could detect a zero day exploit. Both of these applications are configured to immediately quarantine a threat should it be detected. Manual network scans such as the regular monitoring of network traffic via Windows logs or an application such as using Wireshark should be conducted on a weekly basis. Any abnormal network activity such as spikes in data entering or leaving the network should be reported immediately to the IT network and/or security teams. In addition to IT every employee is responsible for being on the lookout for suspicious activity and should report such activity immediately by dialing *511 on any hospital phone to be immediately connected to the security office. Analyze the Incident Qualification of incident severity parallels the standards laid out by the Health Insurance Portability and Accountability Act (HIPAA.) The three classifications are a direct reflection of the number of patient records affected. Category Number of Records Effected Minor 0 Significant 1 – 499 Critical 500 + Minor Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Significant
8 Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Critical Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The highest ranking available executive team member will take the lead on this threat and coordinate communication. The PR Department will take the lead on drafting and delivering appropriate public news briefs regarding the situation as it develops. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. CHAPTER THREE Response Preserve the Evidence Preserving the evidence begins with preparing the necessary tools to analyze an exploit before it is reported. The IT department keeps two PC’s running Forensic Tool Kit (FTK) as well as other forensic tools for the immediate forensic analysis of a potential threat. Should you find suspicious activity on any hospital PC you should call the hospital security line at *511 immediately and report it. DO NOT TURN OFF THE DEVICE IN QUESTION as valuable forensic evidence could be lost by doing this. The IT Security team will work to contain any threat detected as well as make an image of any infected device for later forensic evidence that could be used in a legal case. Contain the Incident The IT department will be instrumental in containing the incident. The type of threat will largely dictate containment measures. If proper network segmentation and other security measures previously listed are in place the exploit should be relatively contained. After the
9 required evidence is collected it is up to the IT department in conjunction with the application support team for the effected system to devise a strategy for further containment. It may be decided that the effected system should be taken offline but no decision should be made until at least a brief initial forensic analysis is done to determine what type of threat the incident entails. In many cases exploits are specifically crafted to be activated by an IT departments attempt to contain and mitigate them. This should be a consideration. Remove the Threat Based on the initial forensic assessment of the threat again, the IT team in conjunction with the application support team will devise and implement a strategy to fully remove the threat from the system. This could entail wiping the drive and restoring a backup, deleting a firewall’s quarantined files queue or any number of other measures specific to the threat encountered. Recover From the Incident The final step of the response phase is recovering from the incident. In most cases this will involve restoring a clean backup of the effected system but it’s also possible that new hardware may be need to be purchased if it cannot be assured that the exploit was successfully mitigated. Again, this will be at the discretion of the IT department in conjunction with the application support team for the effected system. CHAPTER FOUR Post-Incident Activity Conduct an After Action Report (AAR) After the incident is successfully mitigated the team should reconvene to discuss the incident and the team’s response to it. It is important to note that not every cyber threat can be foreseen and stopped. There is little that can be done about a zero-day exploit that sneaks past the facilities threat monitoring systems and manual detection process. It should be reviewed and discussed if such a threat was adequately quarantined by proper network segmentation. A known exploit that was allowed into the hospitals network because a firewall was not regularly updated or because a PC was running an outdated operating system is another story as that was a fully preventable incident and should be discussed as such and remediated. The entire facility should be notified about the breach and used as a learning opportunity.
10 Report the Incident Per HIPAA, a healthcare facility is legally required to notify the public via a media outlet when a breach affects more than 500 individuals. The U.S. Department of Health and Human Services (HHS) must also be notified in the event of a breach of 500 or more records. The legal team is responsible for contacting and informing HHS while the PR is responsible for reporting the breach to local media outlets. Conclusion With the cyber threat landscape what it is today it is less a question of if a healthcare organization will be the victim of a cyber-attack and more a question of when The best a healthcare organization can do is create a robust IRP. One that is detailed enough that employees at each level of the organization know exactly what they are responsible for during an incident but not so unwieldy and specific that no one fully reads it or isn’t easily searchable. We believe that the Kevin Mitnick Memorial Hospital has created such a document with this IRP. It cannot be stressed enough though that the incident response plan must grow and evolve with the threat landscape. This is a living document that should be reviewed and revised at least twice a year and more so when necessary to address a specific advanced persistent threat (APT,) changing health legislation, etc. Revision History Revision Revised By Date Revised Next Review Date 1 2 3 4 5 6
11 Appendix 1 KMMHS Third Party Risk Assessment Form In order to meet privacy regulations, The Kevin Mitnick Memorial Hospital system (KMMHS) must have the following information about the applications that are used to create, store, view, maintain or transmit our data. We appreciate your help in returning this form to us as quickly as possible. Feel free to attach diagrams or other supporting documents if they are relevant. The information you provide will be reviewed by KMMHS’s IT Department, Compliance Department and/or the IT Security Department. And your responses are confidential. Application Information Response What is the application name? What is the name of the company that provides the application? Who is the primary application contact for this third party interface at KMMHS?Who is the IT Security Team Manager contact for this application? Please describe how is the application used? Does this application create, store, view, maintain or transmit Protected Health Information (PHI), Personal Identity Information (PII), or Payment Card Information (PCI)? Yes No If the answer to the above question is “No,” please identify who completed this form Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ and STOP. If the answer is “Yes”, please continue.
12 This section to be completed by the third party vendor. Completed by vendor contact: _________________________________________ Date___/___/___ Signature: _______________________________________________ User Authentication Controls Response Does each user have a unique login or identifier? Yes No Are users automatically logged off after some period of time? Yes No What is the automatic log off time period? (# of minutes)Are accounts automatically locked if there are failed login attempts? Yes No What is the number of failed attempts that are allowed before an account is locked? (# of attempts) Does the application require users to change their password? Yes No How often must users change their password? (# of days)What is the minimum password length? (# of characters)Are upper/lower case, numbers and special characters supported in passwords? Yes No Are passwords encrypted while stored? Yes No Are passwords encrypted when transmitted? Yes No User Authorization Controls Response Is user access reviewed and authorized before being granted? Yes No Is user access based upon the principle of ‘least privilege’? Yes No Are role based user profiles defined and used? Yes No Is separation of duties addressed when user access is granted? Yes No Is user access reviewed periodically to ensure that access is appropriate? Yes No Is there a process for removing access for terminated employees? Yes No User Access Monitoring Response Are user log on (successful and failed) attempts logged? Yes No Are user transactions (application activities) logged? Yes No Is log/audit trail data protected (files cannot be deleted or modified)? Yes No How long is log/audit trail data retained? (# of months)Is log/audit trail data reviewed periodically to detect anomalies? Yes No What is the frequency for log/audit trail review? (# of times per week)If an anomaly is detected, is an incident response process in place to investigate? Yes No Data Protection Controls Response Is the application data classified as “protected”? Yes No If data is classified as protected, is data encrypted while at rest? (stored data encryption) Yes No Is protected data encrypted while in transit? (data in motion encryption) Yes No What encryption standard is used? (for example: AES-128, AES-256, Triple DES)
13 Is protected data stored within a database? Yes No What database is used? (for example: SQL Server, Oracle) Do you back up data on a regular basis? Yes No Is protected data stored or accessed from a thumb drive or other portable media? Yes No Do you have a process in place to destroy portable media that contains protected data? Yes No Do you allow personally owned devices to access protected data? Yes No Do you have processes in place to destroy protected data that may be printed? Yes No Is there a disaster recovery plan for this application? Yes No Do you have a plan to continue operating in case of an emergency? Yes No Do you have a process for testing and applying patches or updates to your systems and applications? Yes No Is there are process to identify and remediate application vulnerabilities? Yes No Please attach an application data map that shows the flow of all protected information. This section is to be used to document any comments or risks that are not easily explained when responding to the questions. Each numbered line is intended to be used for each unique discussion item. 1. 2. 3. 4. 5. 6. 7. 8. Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ Thank you for your help. To be completed by KMMHS. Reviewed By (IT Security Team Member Name): ____________________________________ Date___/___/___ Signature: _______________________________________________
14 Appendix 2 Manufacturer Disclosure Statement for Medical Device Security Form
15 Bibliography Verizon Enterprise Solutions “2014 Data Breach Investigation Report,” Catalan, Brandon, “ADJ-581 Principles of Forensics, Week 12, Crime Scene/Incident Procedures” Salve Regina University Cichonski, Paul, Millar, Tom, Grance, Tim, Scarfone, Karen. “Computer Security Incident Handling Guide; Recommendations of the National Institute of Standards and Technology.” National Institute of Standards and Technology:U.S. Department of Commerce, Special Publication 800-61, Revision 2. http://dx.doi.org/10.6028/NIST.SP.800-61r2 (accessed February 23, 2017) De Voe, Charles and Rahman, M Syed (Shawon), “Incident Response Plan For a Small to Medium Sized Hospital.” International Journal of Network Security & Its Applications, Vol 5, No. 2 (March 2013) Durkan, Jenny A., Cobb, Alicia, “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” The Cybersecurity Law Report, Vol 1, No 4 (May 2015) Federal Deposit Insurance Corporation, “Incident Response Programs: Don’t Get Caught Without One,” Supervisory Insights Forcepoint, “The Cost of the Unintentional Insider,” Forcepoint, Powered by Raytheon Hathaway, Melissa, “United States of America Cyber Readiness at a Glance,” Potomac Institute for Foreign Policy, (September 2016) Hau, Bill, “Incident Response:A New Model Needed,” 2013 Incident Response Survey Report, Information Security Media Group HIMSS, “2016 HIMSS Cybersecurity Survey,” Healthcare Information and Management Systems Society HIMSS, “Manufacturer Disclosure Statement for Medical Device Security (MDS2,”) Healthcare Information and Management Systems Society Imprivita, “The C-Suite Battle Plan for Cyber Security Attacks in Healthcare,” (2015). “Malware Trends; Industrial Control Systems Emergency Response Team (ICS- CERT) Advanced Analytical Laboratory (AAL,”) National Cybersecurity Communications Integration Center (October 2016) KnowB4, “Best Practices for Dealing with Phishing and Ransomware,” An Osterman Research
16 White Paper, (September 2016) McArdle, Jennifer, “Developing an Effective Cyber Incident Response Plan Lecture,” Salve Regina University Murphy, Sean. Healthcare Information Security and Privacy. New York: McGraw-Hill, (2015) NIST, “Computer Security Incident Handling Guide,” Special Publication 800-61 (August 2012), Ponemon Institute,“The Cyber Resilient Organization: Learning to Thrive Against Threats,” (September 2015) Ponemon Institute (2016), “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.” Page 1-32. PWC, “Cyber Crisis Management: A Bold Approach to a Bold and Shadowy Nemesis,” (Aug 2011) Sans Institute,“Protection of Information Assets,” Info Sec Reading Room (2002). Siemens Healthineers “DX Privacy Incident Management Process Guidance.” H DX Product Security & Privacy Office (Revised June 30, 2014) Siemens Healthineers “Security Incident Report Form.” GP-099 DX-Product Security Common Procedures – Version 1.0 Verizon Enterprise Solutions “2014 Data Breach Investigation Report,” World Economic Forum, “Risk and Responsibility in a Hyperconnected World,” (January 2014)

More Related Content

PPTX
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PDF
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
byBCM Institute
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
PPT
Cyber Security Layers - Defense in Depth
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
VAPT - Vulnerability Assessment & Penetration Testing
byNetpluz Asia Pte Ltd
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
byBCM Institute
 
Cyber Threat Intelligence
bymohamed nasri
 
Presentation of Social Engineering - The Art of Human Hacking
bymsaksida
 
Cyber Security Layers - Defense in Depth
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

What's hot

PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PPTX
SOC and SIEM.pptx
bySandeshUprety4
 
PPTX
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
PPTX
Cyber Kill Chain.pptx
byVivek Chauhan
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
PDF
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
PDF
Combined MITRE Presentation.pdf
byMukeshKr19
 
PPTX
101 Basic concepts of information security
bySsendiSamuel
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
bySlideTeam
 
PPTX
Cyber security beginner level presentation slide
byMd. Ismiel Hossen Abir
 
PDF
Supply chain-attack
byvikram vashisth
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
byEdureka!
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PDF
Social engineering attacks
byRamiro Cid
 
PDF
Cyber Resilience
byIan-Edward Stafrace
 
PPTX
CYBER SECURITY
byPranjalShah18
 
PDF
Security architecture
byDuncan Unwin
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
SOC and SIEM.pptx
bySandeshUprety4
 
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
Cyber Kill Chain.pptx
byVivek Chauhan
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
byMaganathin Veeraragaloo
 
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
Combined MITRE Presentation.pdf
byMukeshKr19
 
101 Basic concepts of information security
bySsendiSamuel
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
How To Present Cyber Security To Senior Management Complete Deck
bySlideTeam
 
Cyber security beginner level presentation slide
byMd. Ismiel Hossen Abir
 
Supply chain-attack
byvikram vashisth
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
byEdureka!
 
NIST cybersecurity framework
byShriya Rai
 
Social engineering attacks
byRamiro Cid
 
Cyber Resilience
byIan-Edward Stafrace
 
CYBER SECURITY
byPranjalShah18
 
Security architecture
byDuncan Unwin
 
Cyber kill chain
byAnkita Ganguly
 

Viewers also liked

PDF
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
DOCX
Security Assessment Plan (Template)
byGovCloud Network
 
DOCX
Rules of Behavior
byGovCloud Network
 
PPT
Management in healthcare
byOther Mother
 
DOC
Notice to Explain
byHarve Abella
 
PPTX
What's New In CompTIA Security+ - Course Technology Computing Conference
byCengage Learning
 
PPTX
Cloud application architecture with sql azure and windows azure
byEduardo Castro
 
PPT
Total Quality Management in Healthcare
byGunjan Patel
 
PDF
Sample of report of theft
bypjiahui
 
PPS
Security Training Incident Investigation And Report Writing.Ppt
byFaheem Ul Hasan
 
DOC
Reports
byanuragyadav94
 
DOC
12 report writing i
byEDIN BROW, DCE, AMET
 
PDF
Ship Security Training Manual (Sample)
byPawanexh Kohli
 
DOCX
Study notes for CompTIA Certified Advanced Security Practitioner
byDavid Sweigert
 
DOCX
How to write notice to explain memo
byAngelo Abejo
 
PDF
Notice to Explain SAMPLE FORM (First Notice)
byPoL Sangalang
 
DOC
Sample - Letter for Termination for Just Cause
byLaura Lee
 
DOCX
Incident report
bytehfaridahmustafa
 
DOCX
Accident Investigation Report - Sample 1
byJohn Keller
 
DOC
Template disciplinary lettersexamples-gables
byConfidential
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
Security Assessment Plan (Template)
byGovCloud Network
 
Rules of Behavior
byGovCloud Network
 
Management in healthcare
byOther Mother
 
Notice to Explain
byHarve Abella
 
What's New In CompTIA Security+ - Course Technology Computing Conference
byCengage Learning
 
Cloud application architecture with sql azure and windows azure
byEduardo Castro
 
Total Quality Management in Healthcare
byGunjan Patel
 
Sample of report of theft
bypjiahui
 
Security Training Incident Investigation And Report Writing.Ppt
byFaheem Ul Hasan
 
Reports
byanuragyadav94
 
12 report writing i
byEDIN BROW, DCE, AMET
 
Ship Security Training Manual (Sample)
byPawanexh Kohli
 
Study notes for CompTIA Certified Advanced Security Practitioner
byDavid Sweigert
 
How to write notice to explain memo
byAngelo Abejo
 
Notice to Explain SAMPLE FORM (First Notice)
byPoL Sangalang
 
Sample - Letter for Termination for Just Cause
byLaura Lee
 
Incident report
bytehfaridahmustafa
 
Accident Investigation Report - Sample 1
byJohn Keller
 
Template disciplinary lettersexamples-gables
byConfidential
 

Similar to Sample Incident Response Plan

PDF
Problem Statement The subject is a cybersecurity solution fo.pdf
bySUNIL64154
 
DOCX
Cyb 690 cybersecurity program template directions the foll
byAISHA232980
 
PDF
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
byDr Dev Kambhampati
 
PDF
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
PDF
Healthcare Security Fundamentals
byEstellesc
 
PDF
CST 610 RANK Introduction Education--cst610rank.com
byagathachristie265
 
PDF
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
byRonan Martin
 
PDF
Ijnsa050201
byIJNSA Journal
 
PDF
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
PDF
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
PDF
DHHS ASPR Cybersecurity Threat Information Resources
byDavid Sweigert
 
PDF
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
byLevi Shapiro
 
PDF
Addressing Cybersecurity Strategically
bySymantec
 
PDF
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
PDF
CenturyHospital-v5
byDennis Rollin
 
DOCX
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
byMatthew J McMahon
 
PDF
arcsight_scmag_hcspecial
byPaul Brian Contino
 
PDF
We Need to Prioritize Cybersecurity in 2020
byMatthew Doyle
 
PDF
OHMC 201509 lin
byDanie Schoeman
 
PDF
The challenge of ensuring secure clinics and hospitals for patients and staff
byDanie Schoeman
 
Problem Statement The subject is a cybersecurity solution fo.pdf
bySUNIL64154
 
Cyb 690 cybersecurity program template directions the foll
byAISHA232980
 
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
byDr Dev Kambhampati
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
byHealth IT Conference – iHT2
 
Healthcare Security Fundamentals
byEstellesc
 
CST 610 RANK Introduction Education--cst610rank.com
byagathachristie265
 
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
byRonan Martin
 
Ijnsa050201
byIJNSA Journal
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
DHHS ASPR Cybersecurity Threat Information Resources
byDavid Sweigert
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
byLevi Shapiro
 
Addressing Cybersecurity Strategically
bySymantec
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
CenturyHospital-v5
byDennis Rollin
 
The Top Five Essential Cybersecurity Protections for Healthcare Facilities
byMatthew J McMahon
 
arcsight_scmag_hcspecial
byPaul Brian Contino
 
We Need to Prioritize Cybersecurity in 2020
byMatthew Doyle
 
OHMC 201509 lin
byDanie Schoeman
 
The challenge of ensuring secure clinics and hospitals for patients and staff
byDanie Schoeman
 

More from Matthew J McMahon

PDF
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
byMatthew J McMahon
 
PPT
DC617 Medical Device Presentation
byMatthew J McMahon
 
DOCX
McMahon & Associates Risk Management Strategy
byMatthew J McMahon
 
PDF
HCA 530, Week 2, Advanced persistent threat healthcare under attack
byMatthew J McMahon
 
DOCX
McMahon and Associates Cloud Usage Policy Paper
byMatthew J McMahon
 
PPTX
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 
DOCX
Past and Future Speaking Engagements
byMatthew J McMahon
 
PDF
HCA 530, Week 2, Symantec 2016 threat report
byMatthew J McMahon
 
DOC
Can international organizations like the IMF control the externality costs of...
byMatthew J McMahon
 
DOCX
Case brief US v batti
byMatthew J McMahon
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
byMatthew J McMahon
 
DC617 Medical Device Presentation
byMatthew J McMahon
 
McMahon & Associates Risk Management Strategy
byMatthew J McMahon
 
HCA 530, Week 2, Advanced persistent threat healthcare under attack
byMatthew J McMahon
 
McMahon and Associates Cloud Usage Policy Paper
byMatthew J McMahon
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 
Past and Future Speaking Engagements
byMatthew J McMahon
 
HCA 530, Week 2, Symantec 2016 threat report
byMatthew J McMahon
 
Can international organizations like the IMF control the externality costs of...
byMatthew J McMahon
 
Case brief US v batti
byMatthew J McMahon
 

Recently uploaded

PDF
Presentació "Beyond the Pilot: Scaling XR in Real-World Clinical Settings"
byBadalona Serveis Assistencials
 
PDF
Prosthetic Solutions Cranio-Maxillo-Facial
byDavide Decesari
 
PPTX
Speech language Pathology-1 (lecture 1).pptx
byDr Zonera Khalid PT
 
PPTX
Foundations of Pharmaceutical Quality Assurance and Quality Management System...
byDr. Smita Kumbhar
 
PPTX
CELL PHYSIOLOGY: STRUCTURE AND FUNCTIONS
byDR.P.S SUDHAKAR
 
PPT
Next-Generation Solutions to Optimize Glioma Care: Applying The Latest Eviden...
byPVI, PeerView Institute for Medical Education
 
PPT
Implementing Innovation in Alzheimer’s Care: Practical Approaches to Adopting...
byPVI, PeerView Institute for Medical Education
 
PPTX
blood banking and blood component. New onepptx
byRayAdhikariRatnesh
 
PPTX
Phytochemical Analysis And Antimicrobial Screening Studies Of Calotropis Giga...
bySoukat Garain
 
PPTX
Cardiac tamponade - Recognition & Emergency Management.pptx
byAsokan R
 
PPTX
ATTENTION (PSYCHOLOGY IN NURSING) COGNITIVE PROCESS.pptx
byPahari Sharma
 
PPTX
Holistic Oral Care- Danta Davana and Jihwa nilekhana in Ayurveda: Classical ...
bySudha Sumathy
 
PDF
Microencapsulation and their Application in Novel Drug Delivery
byGOKULAKRISHNAN S
 
PPTX
IgA Nephropathy: overview of Clinical trials (Journal Club)
byibrahimgalalah
 
PPTX
Central Venous Line: Insertion Technique & Complications
byDr Jebish Pradhan
 
PPTX
LOW BACK PAIN_BY. R.YUVASHRI BPT FINAL YEAR
byarunmanikandan6
 
PPTX
2025 APVRS-PAO Diplopia After Cataract & Retina Surgery.pptx
byAlvina Pauline Santiago, MD
 
PPTX
Emerging Targets in NSCLC beyond EGFR, ALK & ROS .pptx
bySumitKumar452
 
PDF
Tarsal Tunnel Syndrome anatomy and management
byMohamed E Elsebaey
 
PDF
Partograph: It is a composite graphical recording of cervical dilatation and ...
byMayuriGamit2
 
Presentació "Beyond the Pilot: Scaling XR in Real-World Clinical Settings"
byBadalona Serveis Assistencials
 
Prosthetic Solutions Cranio-Maxillo-Facial
byDavide Decesari
 
Speech language Pathology-1 (lecture 1).pptx
byDr Zonera Khalid PT
 
Foundations of Pharmaceutical Quality Assurance and Quality Management System...
byDr. Smita Kumbhar
 
CELL PHYSIOLOGY: STRUCTURE AND FUNCTIONS
byDR.P.S SUDHAKAR
 
Next-Generation Solutions to Optimize Glioma Care: Applying The Latest Eviden...
byPVI, PeerView Institute for Medical Education
 
Implementing Innovation in Alzheimer’s Care: Practical Approaches to Adopting...
byPVI, PeerView Institute for Medical Education
 
blood banking and blood component. New onepptx
byRayAdhikariRatnesh
 
Phytochemical Analysis And Antimicrobial Screening Studies Of Calotropis Giga...
bySoukat Garain
 
Cardiac tamponade - Recognition & Emergency Management.pptx
byAsokan R
 
ATTENTION (PSYCHOLOGY IN NURSING) COGNITIVE PROCESS.pptx
byPahari Sharma
 
Holistic Oral Care- Danta Davana and Jihwa nilekhana in Ayurveda: Classical ...
bySudha Sumathy
 
Microencapsulation and their Application in Novel Drug Delivery
byGOKULAKRISHNAN S
 
IgA Nephropathy: overview of Clinical trials (Journal Club)
byibrahimgalalah
 
Central Venous Line: Insertion Technique & Complications
byDr Jebish Pradhan
 
LOW BACK PAIN_BY. R.YUVASHRI BPT FINAL YEAR
byarunmanikandan6
 
2025 APVRS-PAO Diplopia After Cataract & Retina Surgery.pptx
byAlvina Pauline Santiago, MD
 
Emerging Targets in NSCLC beyond EGFR, ALK & ROS .pptx
bySumitKumar452
 
Tarsal Tunnel Syndrome anatomy and management
byMohamed E Elsebaey
 
Partograph: It is a composite graphical recording of cervical dilatation and ...
byMayuriGamit2
 

Sample Incident Response Plan

  • 1.
    Kevin Mitnick MemorialHospital’s Incident Response Plan Matthew J McMahon Cybersecurity in Healthcare Administration Salve Regina University February 23, 2017
  • 2.
    2 Contents Introduction…………………………………………………………………………………..........3 Overview of theIncident Response Plan…………………………………………………….........3 CHAPTER ONE. Preparation…………………..…………………………………………............4 Develop a CSIRT……………..………………………………………………….…...........4 Conduct Employee Training……………..…..………………………………….…...........5 Use Best Practices………...…..………………………………………………….….........6 CHAPTER TWO. Detection………….……………………………………………………...........6 Identify the Incident………………..…………...…………………………………............6 Analyze the Incident………….……………..…..…………………………………............7 CHAPTER THREE. Response…………………..……...…………………………………...........8 Preserve the Evidence………………....……………………………………………..........8 Contain the Incident……….……….………..…..…………………………………...........8 Remove the Threat…….....…..……..………………………………………………..........8 Recover From the Incident………...………………………………………………............8 CHAPTER FOUR. Post-Incident Activity...…..……………….…………………………............9 Conduct an After Action Report………….……...……………...……………………........9 Report the Incident..…………..……………..…..…………………………………...........9 Conclusion………………………………………………………………………………………...9 Revision History…………………………………………………………………………………10 Appendix 1………………...………………………………………………………….................11 KMMHS Third Party Risk Assessment Form…………………………………………….11 Appendix 2………………...…………………………………………………………..................14 Blank Manufacturers Disclosure Statement for Medical Device Security Form..............14 Bibliography……………………………………………………………………………………..15
  • 3.
    3 Introduction The Kevin MitnickMemorial Hospital located at 1492 Exploit Lane in Calabasas, California is a small twenty five bed critical access hospital. The facility has a twenty four hour emergency department and a lab that operates between the hours of 8:00 AM and 8:00 PM PST Monday through Friday. The facility utilizes MEDITECH version 5.6.7 as its electronic medical records system (EMR.) It also utilizes a Sunquest laboratory informatics system (LIS) in the lab that passes results to MEDITECH. The hospital employs a plethora of other medical devices including, but not limited to; Point of Care (POC) blood gas, urinalysis and glucose analyzers from various vendors that all send results to their Sunquest system via a Data Innovations interface engine. In today’s day and age, cyber-attacks on hospitals are becoming more and more prevalent. It is no longer if a hospital will be attacked but when. In an environment where a medical record sells for ten times on the dark web what a credit card record does it is imperative that this medical facility create and implement a Computer Security Incident Response Team (CSIRT) to manage and oversee this facilities Incident Response Plan (IRP) and assure the protection of our customers Protected Health Information (PHI.) Overview of the Incident Response Plan The purpose of the Kevin Mitnick Memorial Hospital’s Incident Response Plan is to provide clear, concise instructions to each member of the hospital staff and business partners in response to an incident. The structure of this report utilizes the standard four phase incident response model of Preparation, Detection, Response and Post-Incident Activity. The first phase, Preparation focuses on establishing clear areas of responsibility for various hospital staff should an incident occur. The second phase, detection details how the hospital’s IT staff should stay vigilant against cyber threats. This includes what should be done should IT become aware of a potential threat as well as processes to be implemented for threat analysis. The third phase, Response details how the organization should respond to an identified incident which includes; the preservation of evidence, containment of a potential exploit, removal of the threat from the system and recovery after the threat is contained. The fourth and final phase, Post-Incident Activity details the actions to be taken after the incident has been mitigated including an after action report and any incident reporting.
  • 4.
    4 CHAPTER ONE. Preparation Develop aCSIRT A Computer Security Incident Response Team (CSIRT) is a cross disciplinary team created to bring in key personnel that will be needed to respond to an incident. The response team includes several members from the IT department including a system administrator, members from the database, network and security teams as well as representation form legal, HR, public relations teams and the executive suite. The database team is responsible to assure that the sites various SQL databases are regularly updated with security patches and secured against SQL injection exploits, a common healthcare threat vector. The network team is responsible for assuring that the hospitals various networks are properly cordoned off, utilizing firewalls and separate virtual local area networks (VLAN’s) and network partitions where applicable. In addition their responsibilities include regularly updating and properly implementing antivirus and antimalware software as well as port management which includes blocking unused ports and managing the facilities dynamic host configuration protocol (DHCP) network addressing structure. The IT security team is responsible for working in conjunction with the networking team to develop an all-encompassing security posture that is robust but not so secure that it affects the free flow of data across the hospitals networks. Their main role is education, specifically developing and training all hospital staff on good cyber and physical security habits. The legal department plays an important but often overlooked role in the development of the hospitals security posture. It is their responsibility to review and craft the third party vendor interface agreements that detail where the hospitals responsibility ends and a third parties begins when it comes to the hospitals various software and hardware interfaces that move data around its networks. HR’s biggest role in security is properly screening the hiring of new candidates, especially those that will maintain high levels of security clearance such as system administrators. They also play an essential role in assuring that all employees’ security trainings and documentation are up to date. Another responsibility of the HR department is to assure that access to all hospital systems is immediately revoked upon an employee’s termination of employment. The public relations team is responsible for communicating with the public and/or news media outlets should a breach occur. Per section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health Act (HITECH,) in the case of a breach of more than 500 the public must be made aware via the news media.
  • 5.
    5 The executive suiteis a key player in the facilities cyber defense structure. They are often a high value target specifically sought out by advanced persistent threats (APT’s.) They will undergo a higher level of security training than any other employee as they are not only the most targeted but also the primary decision makers in driving the organizations response to a threat. It is imperative to have representation from each of the hospitals internal third party vendor support staff on the team as they are the ones with key access and product knowledge that will need to be leveraged if an attack targets and compromises their application. Their input will be essential in helping IT and the executive suite craft an appropriate response to a threat. This includes key support staff from each of the various medical software applications on site including MEDITECH, Sunquest, Data Innovations and the Siemens Healthineers, Point of Care (POC) Rapidcomm software application. The applications support staff has access to these third party vendors via 24 hour phone and onsite support should that need to be activated. The team also includes contacts from key business partners that the organizations works with that regularly attend the group’s biweekly meetings as often an exploit is brought in by a third party vulnerability. Business partners include but are not limited to West Coast Recycling, data destruction company, Dell onsite desktop support, North Star Janitorial Services as well as Hiram’s cafeteria services. Business partners should not be overlooked in a hospital’s IRP as all of the above listed services have some level of potential access to protected data, be it on a decommissioned hard drive, paper record or even the dietary status board posted in the cafeteria that list allergies and dietary restrictions of patients. The involvement of third party vendors is essential to the facilities greater cyber defense strategy. For each third party interface a vendor interface form shall be completed by the vendor prior to connecting and submitted to the IT security team, see Appendix 1. The IT security team will then conduct a threat assessment to determine the risk associated with connecting one of the hospitals systems to the third party vendor. The interfacing products Manufacturer Disclosure Statement for Medical Device Security (MDS2) form and any other supporting documentation should be requested, kept on file and regularly updated by the vendor, see Appendix 2. The roles spelt out in this section of the report are far from all encompassing. They are meant to give all hospital staff a general idea of the roles and responsibilities of the various members of the CSIRT team. More in depth, user specific roles are addressed in role specific trainings. These roles and responsibilities are fluid and dynamic, constantly changing and adapting to address the ever changing cyber threat landscape.
  • 6.
    6 Conduct Employee Training Allhospital staff are required to take a two hour security training within fourteen days of their hire date and additionally complete a one hour refresher training every six months. The training program, created by the hospital’s IT security team covers general physical and cyber security concepts such as how to create a strong password, reporting suspicious emails and not holding the door open for other hospital staff entering the hospital. In addition to this general training certain key members of the hospital staff take additional trainings provided by the SANS institute and facilitated by the IT security team. These include members of the executive suite that are often the target of phishing exploits, hospital IT on secure network configuration and others respective to job role. Use Best Practices In addition to the specific roles already laid out in the “Develop a CSIRT,” section of this report the following additional best practices should be observed by all hospital staff.  Minimum length and complexity requirements for system passwords  Regular system password expiration  Encrypt all outbound and internal email that contains PHI data  Assure all desktop PC’s lock screen after 5 minutes of inactivity is enabled  No holding the door for other staff The following best practices should be maintained by all hospital IT and informatics staff.  All laptops and mobile devices shall be encrypted  All systems must be regularly backed up fully once a week with incremental backups happening daily.  All system patches must be implemented per vendor recommendations  All systems should be pen tested annually  All systems should be fuzz tested annually
  • 7.
    7 CHAPTER TWO Detection Identify theIncident An incident is typically identified by one of the automated or manual security scans regularly conducted on the hospital’s various systems. Automated scans include both antivirus and antimalware that look for both black listed exploits and specific threat signatures that could detect a zero day exploit. Both of these applications are configured to immediately quarantine a threat should it be detected. Manual network scans such as the regular monitoring of network traffic via Windows logs or an application such as using Wireshark should be conducted on a weekly basis. Any abnormal network activity such as spikes in data entering or leaving the network should be reported immediately to the IT network and/or security teams. In addition to IT every employee is responsible for being on the lookout for suspicious activity and should report such activity immediately by dialing *511 on any hospital phone to be immediately connected to the security office. Analyze the Incident Qualification of incident severity parallels the standards laid out by the Health Insurance Portability and Accountability Act (HIPAA.) The three classifications are a direct reflection of the number of patient records affected. Category Number of Records Effected Minor 0 Significant 1 – 499 Critical 500 + Minor Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Significant
  • 8.
    8 Members of theIT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The IT Manager for that day will take the lead on this threat and coordinate communication. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. Critical Members of the IT Security team will monitor a potential threat that is either directly reported by an employee or shows up via an automatic or manual system scan. The threat will be investigated and quarantined. All applicable forensic analysis will be handled by the IT security team. Members of the executive and legal teams will be brought into the discussion to examine the ramifications of patient record breeches. The highest ranking available executive team member will take the lead on this threat and coordinate communication. The PR Department will take the lead on drafting and delivering appropriate public news briefs regarding the situation as it develops. The entire facility should be notified via email to increase awareness and generate visibility of cyber threats. CHAPTER THREE Response Preserve the Evidence Preserving the evidence begins with preparing the necessary tools to analyze an exploit before it is reported. The IT department keeps two PC’s running Forensic Tool Kit (FTK) as well as other forensic tools for the immediate forensic analysis of a potential threat. Should you find suspicious activity on any hospital PC you should call the hospital security line at *511 immediately and report it. DO NOT TURN OFF THE DEVICE IN QUESTION as valuable forensic evidence could be lost by doing this. The IT Security team will work to contain any threat detected as well as make an image of any infected device for later forensic evidence that could be used in a legal case. Contain the Incident The IT department will be instrumental in containing the incident. The type of threat will largely dictate containment measures. If proper network segmentation and other security measures previously listed are in place the exploit should be relatively contained. After the
  • 9.
    9 required evidence iscollected it is up to the IT department in conjunction with the application support team for the effected system to devise a strategy for further containment. It may be decided that the effected system should be taken offline but no decision should be made until at least a brief initial forensic analysis is done to determine what type of threat the incident entails. In many cases exploits are specifically crafted to be activated by an IT departments attempt to contain and mitigate them. This should be a consideration. Remove the Threat Based on the initial forensic assessment of the threat again, the IT team in conjunction with the application support team will devise and implement a strategy to fully remove the threat from the system. This could entail wiping the drive and restoring a backup, deleting a firewall’s quarantined files queue or any number of other measures specific to the threat encountered. Recover From the Incident The final step of the response phase is recovering from the incident. In most cases this will involve restoring a clean backup of the effected system but it’s also possible that new hardware may be need to be purchased if it cannot be assured that the exploit was successfully mitigated. Again, this will be at the discretion of the IT department in conjunction with the application support team for the effected system. CHAPTER FOUR Post-Incident Activity Conduct an After Action Report (AAR) After the incident is successfully mitigated the team should reconvene to discuss the incident and the team’s response to it. It is important to note that not every cyber threat can be foreseen and stopped. There is little that can be done about a zero-day exploit that sneaks past the facilities threat monitoring systems and manual detection process. It should be reviewed and discussed if such a threat was adequately quarantined by proper network segmentation. A known exploit that was allowed into the hospitals network because a firewall was not regularly updated or because a PC was running an outdated operating system is another story as that was a fully preventable incident and should be discussed as such and remediated. The entire facility should be notified about the breach and used as a learning opportunity.
  • 10.
    10 Report the Incident PerHIPAA, a healthcare facility is legally required to notify the public via a media outlet when a breach affects more than 500 individuals. The U.S. Department of Health and Human Services (HHS) must also be notified in the event of a breach of 500 or more records. The legal team is responsible for contacting and informing HHS while the PR is responsible for reporting the breach to local media outlets. Conclusion With the cyber threat landscape what it is today it is less a question of if a healthcare organization will be the victim of a cyber-attack and more a question of when The best a healthcare organization can do is create a robust IRP. One that is detailed enough that employees at each level of the organization know exactly what they are responsible for during an incident but not so unwieldy and specific that no one fully reads it or isn’t easily searchable. We believe that the Kevin Mitnick Memorial Hospital has created such a document with this IRP. It cannot be stressed enough though that the incident response plan must grow and evolve with the threat landscape. This is a living document that should be reviewed and revised at least twice a year and more so when necessary to address a specific advanced persistent threat (APT,) changing health legislation, etc. Revision History Revision Revised By Date Revised Next Review Date 1 2 3 4 5 6
  • 11.
    11 Appendix 1 KMMHS ThirdParty Risk Assessment Form In order to meet privacy regulations, The Kevin Mitnick Memorial Hospital system (KMMHS) must have the following information about the applications that are used to create, store, view, maintain or transmit our data. We appreciate your help in returning this form to us as quickly as possible. Feel free to attach diagrams or other supporting documents if they are relevant. The information you provide will be reviewed by KMMHS’s IT Department, Compliance Department and/or the IT Security Department. And your responses are confidential. Application Information Response What is the application name? What is the name of the company that provides the application? Who is the primary application contact for this third party interface at KMMHS?Who is the IT Security Team Manager contact for this application? Please describe how is the application used? Does this application create, store, view, maintain or transmit Protected Health Information (PHI), Personal Identity Information (PII), or Payment Card Information (PCI)? Yes No If the answer to the above question is “No,” please identify who completed this form Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ and STOP. If the answer is “Yes”, please continue.
  • 12.
    12 This section tobe completed by the third party vendor. Completed by vendor contact: _________________________________________ Date___/___/___ Signature: _______________________________________________ User Authentication Controls Response Does each user have a unique login or identifier? Yes No Are users automatically logged off after some period of time? Yes No What is the automatic log off time period? (# of minutes)Are accounts automatically locked if there are failed login attempts? Yes No What is the number of failed attempts that are allowed before an account is locked? (# of attempts) Does the application require users to change their password? Yes No How often must users change their password? (# of days)What is the minimum password length? (# of characters)Are upper/lower case, numbers and special characters supported in passwords? Yes No Are passwords encrypted while stored? Yes No Are passwords encrypted when transmitted? Yes No User Authorization Controls Response Is user access reviewed and authorized before being granted? Yes No Is user access based upon the principle of ‘least privilege’? Yes No Are role based user profiles defined and used? Yes No Is separation of duties addressed when user access is granted? Yes No Is user access reviewed periodically to ensure that access is appropriate? Yes No Is there a process for removing access for terminated employees? Yes No User Access Monitoring Response Are user log on (successful and failed) attempts logged? Yes No Are user transactions (application activities) logged? Yes No Is log/audit trail data protected (files cannot be deleted or modified)? Yes No How long is log/audit trail data retained? (# of months)Is log/audit trail data reviewed periodically to detect anomalies? Yes No What is the frequency for log/audit trail review? (# of times per week)If an anomaly is detected, is an incident response process in place to investigate? Yes No Data Protection Controls Response Is the application data classified as “protected”? Yes No If data is classified as protected, is data encrypted while at rest? (stored data encryption) Yes No Is protected data encrypted while in transit? (data in motion encryption) Yes No What encryption standard is used? (for example: AES-128, AES-256, Triple DES)
  • 13.
    13 Is protected datastored within a database? Yes No What database is used? (for example: SQL Server, Oracle) Do you back up data on a regular basis? Yes No Is protected data stored or accessed from a thumb drive or other portable media? Yes No Do you have a process in place to destroy portable media that contains protected data? Yes No Do you allow personally owned devices to access protected data? Yes No Do you have processes in place to destroy protected data that may be printed? Yes No Is there a disaster recovery plan for this application? Yes No Do you have a plan to continue operating in case of an emergency? Yes No Do you have a process for testing and applying patches or updates to your systems and applications? Yes No Is there are process to identify and remediate application vulnerabilities? Yes No Please attach an application data map that shows the flow of all protected information. This section is to be used to document any comments or risks that are not easily explained when responding to the questions. Each numbered line is intended to be used for each unique discussion item. 1. 2. 3. 4. 5. 6. 7. 8. Completed By (Name): _________________________________________________ Date___/___/___ Signature: _______________________________________________ Thank you for your help. To be completed by KMMHS. Reviewed By (IT Security Team Member Name): ____________________________________ Date___/___/___ Signature: _______________________________________________
  • 14.
    14 Appendix 2 Manufacturer DisclosureStatement for Medical Device Security Form
  • 15.
    15 Bibliography Verizon Enterprise Solutions“2014 Data Breach Investigation Report,” Catalan, Brandon, “ADJ-581 Principles of Forensics, Week 12, Crime Scene/Incident Procedures” Salve Regina University Cichonski, Paul, Millar, Tom, Grance, Tim, Scarfone, Karen. “Computer Security Incident Handling Guide; Recommendations of the National Institute of Standards and Technology.” National Institute of Standards and Technology:U.S. Department of Commerce, Special Publication 800-61, Revision 2. http://dx.doi.org/10.6028/NIST.SP.800-61r2 (accessed February 23, 2017) De Voe, Charles and Rahman, M Syed (Shawon), “Incident Response Plan For a Small to Medium Sized Hospital.” International Journal of Network Security & Its Applications, Vol 5, No. 2 (March 2013) Durkan, Jenny A., Cobb, Alicia, “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” The Cybersecurity Law Report, Vol 1, No 4 (May 2015) Federal Deposit Insurance Corporation, “Incident Response Programs: Don’t Get Caught Without One,” Supervisory Insights Forcepoint, “The Cost of the Unintentional Insider,” Forcepoint, Powered by Raytheon Hathaway, Melissa, “United States of America Cyber Readiness at a Glance,” Potomac Institute for Foreign Policy, (September 2016) Hau, Bill, “Incident Response:A New Model Needed,” 2013 Incident Response Survey Report, Information Security Media Group HIMSS, “2016 HIMSS Cybersecurity Survey,” Healthcare Information and Management Systems Society HIMSS, “Manufacturer Disclosure Statement for Medical Device Security (MDS2,”) Healthcare Information and Management Systems Society Imprivita, “The C-Suite Battle Plan for Cyber Security Attacks in Healthcare,” (2015). “Malware Trends; Industrial Control Systems Emergency Response Team (ICS- CERT) Advanced Analytical Laboratory (AAL,”) National Cybersecurity Communications Integration Center (October 2016) KnowB4, “Best Practices for Dealing with Phishing and Ransomware,” An Osterman Research
  • 16.
    16 White Paper, (September2016) McArdle, Jennifer, “Developing an Effective Cyber Incident Response Plan Lecture,” Salve Regina University Murphy, Sean. Healthcare Information Security and Privacy. New York: McGraw-Hill, (2015) NIST, “Computer Security Incident Handling Guide,” Special Publication 800-61 (August 2012), Ponemon Institute,“The Cyber Resilient Organization: Learning to Thrive Against Threats,” (September 2015) Ponemon Institute (2016), “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.” Page 1-32. PWC, “Cyber Crisis Management: A Bold Approach to a Bold and Shadowy Nemesis,” (Aug 2011) Sans Institute,“Protection of Information Assets,” Info Sec Reading Room (2002). Siemens Healthineers “DX Privacy Incident Management Process Guidance.” H DX Product Security & Privacy Office (Revised June 30, 2014) Siemens Healthineers “Security Incident Report Form.” GP-099 DX-Product Security Common Procedures – Version 1.0 Verizon Enterprise Solutions “2014 Data Breach Investigation Report,” World Economic Forum, “Risk and Responsibility in a Hyperconnected World,” (January 2014)