As healthcare continues to be the biggest target for cybersecurity attacks, tools like threat intelligence are playing an increasingly critical role in ensuring organizations can proactively identify bad actors and track campaigns.
What has become just as important as having a multilayered strategy for detection and response, however, is the ability to educate users and ensure they’re empowered to act. “It’s about blocking and tackling; doing the things that need to be done and aligning that to a risk-based approach,” said Chris Bowen, CISO/Founder of ClearDATA. And while threat intelligence is a critical part of the strategy, “so is the communication piece.”
During a recent discussion, Bowen and co-panelists Adam Zoller (CISO, Providence) and Kim Alkire (System Director, Cyber Wellness, Health First) shared strategies for detecting and containing threats, crafting an effective response plan, and communicating it to shareholders.
“Trying to get upstream”
Perhaps the most important piece in improving Mean Time to Respond/Remediate, according to Zoller, is the ability to detect potential threats. “You need to have eyes and ears in every part of the organization and every part of the information ecosystem, because lack of coverage in one area is going to hurt you.” To that end, his team subscribes to several commercial threat intelligence feeds to gain visibility into potential threat vectors such as compromised accounts. Doing so, he said, enables Providence to “build our own picture and profile the actors that are targeting us,” so that they can get out in front of attacks.
It’s not an easy feat for an organization that ingests around 14 terabytes of telemetry per day across the ecosystem. “We’re trying to get upstream in the kill chain,” Zoller noted. “To do that, you really have to comb the environment.”
Bowen concurred, adding that knowing where threat actors exist, both internally and externally, is essential. Through its Managed Detection & Response software, ClearDATA leverages threat intelligence and analytics to provide monitoring and enable real-time threat detection. According to Bowen, the company has deployed around 10,000 threat sensors in more than 250 health systems to help safeguard data.
By utilizing tools like the ones offered by ClearDATA, organizations can respond more rapidly to potential incidents and, just as importantly, close up gaps that still exist. “If I can detect and contain these things relatively quickly, I can limit the risk of exposure that my organization faces,” said Zoller. Ensuring the entry vector used by the adversary has been eliminated can provide some much-needed breathing room for IT security teams, the panelists noted.
Defining roles
It also leaves time to focus on other critical components, like what is expected from different departments in the event of a breach. “There are a lot of different considerations when it comes to getting into the trenches and responding to these events,” said Bowen. “Having these things defined is very important.”
Alkire’s team reached the same conclusion after a recent executive tabletop session, which emphasized the importance of “enabling our responders to make timely decisions, knowing it might negatively impact the business temporarily,” she said. If a ransomware threat surfaces, for example, “we might have to cut off some limbs to protect them. And so, being able to have those discussions so that it’s not a surprise in the moment is really valuable.”
Part of that entails explaining how an event might play out and what talking points might be used to explain to the business side why actions are being taken. “If you haven’t done this, I highly suggest it.”
Bowen strongly agreed, advising security leaders to designate in advance who can speak with whom, and when. Governing the “chatter that happens” is critical, he said, and should include social media posts as well.
“Practice is your friend”
The more this is reinforced, the better equipped teams will be to handle difficult situations. “Practice is your best friend,” said Bowen, who recommended conducting cyber-incident exercises that include “strategic level injects” that can provide insights into what happens in an emergency situation. “You’re going to have to make very difficult calls to virtually isolate branches of your business and potentially impact the ability to do business or to provide patient care in some cases,” he said. Educating individuals about the decisions that security leaders must be empowered to make — along with the downstream implications of those decisions — is “incredibly important.”
Similarly, clinical staff need to know what will happen if, for instance, a biomedical device is taken offline, said Zoller, who believes initiating those conversations should be a top priority. “Developing relationships ahead of time and making sure they know who to call is going to save a lot of time and heartache during an incident.”
Planting a seed
At Providence, his team regularly schedules hospital tours, during which they work with nurse managers to create process-driven responses to situations that can arise. In doing so, they’ve found “some really interesting nuggets about how individual hospitals work,” he noted. The goal is to “plant the seed in the clinicians’ minds that these types of things are within the realm of possibility, and they need to think about how they would revert to paper.”
It’s something that can’t be overlooked, according to Alkire, particularly as clinicians have become so accustomed to doing things digitally. “A downtime is not what it was 10 years ago. It’s more of a culture shock now.”
It’s also dangerous, as information can age quickly without internet connectivity, potentially putting patients at risk. “Being able to relay that information to the business before you’re in that scenario is really important so that they have adequate time to prepare and update their processes and know exactly what to expect,” said Alkire. “Because unfortunately, in our world, it’s a matter of life and death if they aren’t successful in making that transition.”
On the other hand, if solid plans have been established and practiced, and the right tools are in place, clinicians can take action based on intelligence. For CISOs, it means not just creating runbooks, but “having them documented, having them accessible, and exercising them so that your team doesn’t have to dig out checklists to figure out what to do,” said Alkire. “You have to think ahead and be prepared.”
To view the archive of this webinar — Keys to Minimizing Threat Alert to Remediation Time — please click here.
Share Your Thoughts
You must be logged in to post a comment.