HSCC Published Business Continuity Cyber ​​Incident Checklist

HSCC Published Business Continuity Cyber ​​Incident Checklist

Share this article on:

The Cyber ​​Security Working Group (CWG) of the Health Sector Coordinating Council (HSCC) has published an Operational Continuity Cyber ​​Incident (OCCI) Checklist that serves as a flexible template for responding to and recovering from serious cyber attacks that cause prolonged system outages, such as ransomware attacks.

Ransomware attacks on healthcare organizations have increased significantly during the pandemic and continue to be carried out at high levels. Ransomware threat actors steal sensitive data that has high value on the black market, threaten to publish that data to pressure visitors to pay, and prolonged system outages due to attacks can cause significant financial loss, increases the probability that the ransom will be paid. . Recently, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued warnings about ransomware groups actively targeting critical infrastructure, including healthcare organizations.

In addition to cybercriminal groups, hospitals are a target for nation-state threat actors. The Five Eyes cybersecurity agencies recently warned that there is an elevated threat of cyberattacks on critical infrastructure in retaliation for sanctions imposed on Russia by the United States. There is also a risk of healthcare organizations falling victim to cyber incidents targeting organizations in Ukraine, as was the case with the NotPetya wiper malware attacks in 2017. Development and release of the checklist was accelerated to in light of rising geopolitical tensions from the Ukraine-Russia conflict and the growing threat to healthcare organizations in the United States.

Due to the high risk of attacks, healthcare organizations must prepare for attacks and ensure that the business can continue to operate in the event that access to critical systems cannot be immediately restored. Having an incident response plan that can be implemented immediately will help minimize the damage caused and the impact on patients and medical services.

The OCCI Toolkit includes a checklist of steps to take in the first 12 hours after a security incident occurs and outlines actions and considerations for the duration of cybersecurity incidents. The checklist is divided into role-based modules that align with the Incident Command System, but can be refined or modified to match the size, resources, complexity, and capabilities of different organizations, from small medical offices to large hospitals and health systems.

An Incident Commander is to be designated to provide overall strategic direction on all response actions and activities, a Medical-Technical Specialist is to advise the Incident Commander on issues related to the response, and a Public Information Officer is required to communicate with internal and external stakeholders. site staff, patients and their families, and the media. The checklist also provides a list of steps to be completed by the security officer and section chiefs. For smaller organizations, those roles may need to be combined to fit their organizational structures.

The checklist was created based on input provided by top healthcare cybersecurity and emergency management executives participating in the HSCC Incident Response/Business Continuity (IRBC) Task Force.

Leave a Comment