Operational Continuity-Cyber Incident Checklist Published by HSCC

Share this article on:

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has published an Operational Continuity-Cyber Incident (OCCI) checklist which serves as a flexible template for responding to and recovering from serious cyberattacks that cause extended system outages, such as ransomware attacks.

Ransomware attacks on healthcare organizations increased significantly during the pandemic and continue to be conducted at elevated levels. Ransomware threat actors steal sensitive data that has a high value on the black market, threaten to publish that data to pressure visitors into paying, and the extended system outages due to the attacks can cause considerable financial losses, increasing the probability of the ransom being paid. Warnings have recently been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) about ransomware groups that are actively targeting critical infrastructure, including healthcare organizations.

In addition to cybercriminal groups, hospitals are a target for nation-state threat actors. The Five Eyes cybersecurity agencies recently warned that there is an elevated threat of cyberattacks on critical infrastructure in retaliation to the sanctions imposed on Russia by the United States. There is also a risk that healthcare organizations may fall victim to cyber incidents that have been directed at organizations in Ukraine, as was the case with the NotPetya wiper malware attacks in 2017. The development and release of the checklist were accelerated in light of the rising geopolitical tensions from the Ukraine-Russia conflict, and the increased threat to healthcare organizations in the United States.

Due to the high risk of attacks, healthcare organizations need to prepare for attacks and ensure that the business can continue to operate should it not be possible to immediately restore access to critical systems. Having an incident response plan that can be immediately implemented will help to minimize the damage caused and the impact on patients and medical services.

The OCCI toolkit includes a checklist of the steps that should be taken during the first 12 hours after a security incident occurs and outlines actions and considerations for the duration of cybersecurity incidents. The checklist is broken down into role-based modules that align with the Incident Command System but can be refined or modified to match the size, resources, complexity, and capabilities of different organizations, from small physician practices up to large hospitals and health systems.

An incident commander should be appointed to provide overall strategic direction on all response actions and activities, a medical-technical specialist should advise the Incident Commander on issues related to the response, and a public information officer is required to communicate with internal and external stakeholders, site personnel, patients and their families, and the media. The checklist also provides a list of steps that need to be completed by the safety officer and section chiefs. For smaller organizations, those roles may need to be combined to suit their organizational structures.

The checklist was created from input provided by leading health sector cybersecurity and emergency management executives that participate in the HSCC Incident Response/Business Continuity (IRBC) Task Group.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On