Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Joint guidance has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic.

Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector.

The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin.

The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare industry and government cybersecurity experts and is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

During the COVID-19 crisis, cyber threat actors have conducted a range of attacks on healthcare organizations including phishing attacks, domain attacks, and malware and ransomware attacks. The attacks came at a time when healthcare organizations were attempting to provide care for highly infectious patients, deploy remote diagnostic and treatment services, and transition to teleworking to prevent the spread of COVID-19. The change in working practices significantly increased the attack surface and introduced new vulnerabilities and attack vectors.

“For each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-actors increases as well,” explained HSCC/H-ISAC in the guidance document. “To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices.”

The guidance document can be used by healthcare organizations of all sizes to improve their cybersecurity programs and prepare for emergency situations. Smaller healthcare organizations can use the guidance to help them choose appropriate measures to improve their security posture, while larger organizations that have already planned their tactical crisis response can use the guide as a checklist to ensure nothing has been missed.

The guidance document divides techniques, practices, and activities into four main sections: Education and Outreach; Enhance Prevention Techniques; Enhance Detection and Response; and Take Care of the Team.

The cybersecurity response to a crisis is largely dependent on technical controls, but HSCC/H-ISAC explains that education and outreach play an important part in the success of the response strategy. In emergency situations, even the best laid plans can come unstuck without proper education and outreach. Organizations that communicate their plans effectively will reduce confusion, improve response times, and maximize the effectiveness of their cybersecurity plan. The guide explains how to develop a communication plan and conduct policy and procedure reviews effectively.

Preventing cyberattacks is critical. Most healthcare organizations will have implemented a range of measures to thwart cyberattacks prior to the public health emergency, but HSCC/H-ISAC suggests three practices should be reviewed: Limiting the potential attack surface, bolstering remote access, and leveraging threat intelligence feeds.

Reducing the attack surface requires effective vulnerability management, accelerated patching, securing medical devices and endpoints, and managing third party network access. The guidance document suggests some of the ways that remote access can be secured, and how to leverage threat intelligence feeds to prevent attacks and accelerate the response.

Many attacks are difficult to prevent, so it is critical for mechanisms to be developed and implemented to detect successful attacks and respond quickly. The guidance document suggests some of the steps that can be taken to enhance detection and response to attacks.

It is also important to take care of the team. In crisis situations, health, well-being, job security, and financial stability are all key concerns for healthcare employees. It is important for organizations to communicate effectively with their workers and address these concerns and share how the organization will support employees during the crisis.

You can view and download the guidance document on this link. A second guidance document was released by HSCC earlier this month that details steps healthcare organizations can take to protect trade secrets and research. The guidance document is available for download here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.