The Health Sector Coordinating Council’s Cybersecurity Working Group issued another healthcare resource this week: a toolkit meant to support operational staff and executive leadership with responding to extended outages brought on by cyberattacks. HSCC collaborated with cybersecurity and emergency management executives to compile the guide.
HSCC issued new guidance targeting communication methods for disclosing medical tech vulnerabilities, earlier this week.
The new Operational Continuity-Cyber Incident toolkit provides healthcare entities with a flexible template, which includes the suggestions for needed operational structures and tasks able to be tailored to the needs of an organization, based on size, resources, complexity, and capability.
The guide is broken down into role-based modules that align with an incident command system and include specific recommended actions for each role. HSCC noted that “as enterprises organize their cybersecurity and emergency management roles with varying structures, this checklist attempts to generalize as much as possible to scale and align with those variations.”
Ideally, leadership would tailor the checklist to fit their organization’s needs and as part of their existing operating procedures. The “response guideline” includes step-by-step actions and considerations to be taken within the first 12 hours of discovering a cyberattack.
The guide includes a breakdown of responsibilities for each role, including incident commander, medical-technical specialist or subject matter expert, public information officer, liaison, safety officer, operations section chief, planning section chief, finance chief, logistics chief, and intelligence leader.
As noted by Mitre earlier this year, these roles should be assigned and the plans well-practiced long before a cyberattack so as to ensure effectiveness and continuity.
“Hospitals have to be prepared for downtime and have to be prepared to go back to paper,” and that means understanding the procedures for critical systems and looping that back with the IT team,Margie Zuk, senior principal cybersecurity engineer for Mitre and the cyber engagement lead for health care in the Mitre Cyber Solutions Technical Center, previously told SC Media.
“That way when an attack affects one of those systems, they can really respond in an organized way,” she added.
After an assessment by the CIO, CISO, and senior leadership, HSCC stressed that incident command may be activated as “a prolonged massive disruption has the potential to meet… patient safety and/or member service impacts [and] large-scale clinical workflow [and] patient care impacts.
Further, the implementation of preventative defenses could also impact clinical workflow.
Perfect timing for needed resources
The newly published guidance comes on the heels of several federal agencies alerts that have garnered the concern of the American Hospital Association.
First, a new ransomware variant called BlackCat/ALPHV has already claimed more than 60 entities globally, since its emergence just over a year ago. The group has ties to the DarkSide/BlackMatter group, which notoriously targeted and shuttered Colonial Pipeline last year.
The connection may indicate the group’s capability of targeting U.S. critical infrastructure, explained John Riggi, AHA’s national advisor for cybersecurity, in a healthcare sector alert. But so far, their intent to exploit U.S infrastructure remains to be seen.
The group’s use of an advanced programming language known as RUST also increases the reliability of the attacks, which could also prove problematic for healthcare. BlackCat offers their capabilities to other hackers as ransomware- as-a-service, further expanding its reach.
“Given the possible Russian connection and the flurry of recent government warnings of Russian-state sponsored and criminal cyber threats to U.S. critical infrastructure, the BlackCat ransomware group is of significant concern,” explained Riggi.
AHA also encouraged healthcare entities to review federal advisories on the need ro timely apply patches and implement a centralized patch management system to reduce the risk of exploit against the most commonly exploited vulnerabilities by cyberattackers in the last two years.
More specifically, hacking groups have been developing and deploying malware that exploits known vulnerabilities within just two weeks of public disclosure. Particularly in healthcare, “this is often far quicker than patches are available and organizations can implement them.”
In hospitals,”patches must be thoroughly tested before being applied to ensure uninterrupted care delivery and patient safety,” said Riggi. Hospital leadership should review this advisory to determine the clear path to prioritizing and remediating the most exploited vulnerabilities.
Adding, “it’s also clear that hackers are often less interested in identifying an unknown or ‘zero-day’ vulnerability for exploitation than they are in simply beating us in a race to ‘exploit before we patch.’”
In light of the heightened concerns posed by the continuing Russia-Ukraine conflict, reviewing alerts and free resources can support healthcare entities in securing the enterprise and recovering, if and when the inevitable attack-related outage occurs. Just this week, Tenet Healthcare and the American Dental Association reported falling victim in this manner.