Written by Anahi Santiago, CISO, Christiana Care Health System

The results of CyberRX 2.0 were released in early December 2015. Although the exercise involved health plans only, the findings which revealed top five actions to improve cyber resilience should be reviewed by CISOs and other Information Security leaders across the healthcare industry. With the increasing rate at which the industry has become a target, it is imperative that organizations have a rock solid incident response plan.

1. Involve your third parties. Most organizations understand that an incident response plan must include all areas of the organization, from the technologists who perform forensic analysis of the compromised environment, to legal and corporate communications, to the nurse on the floor who will undoubtedly be the first to field questions from patients as soon as the incident is publicized by media. As more organizations begin to rely on third party partnerships, including those out in the cloud, it is imperative that those critical third parties find their way into the playbooks. Based on industry trends, the likelihood that a breach will either impact or be a result of a third party has increased to the point where it can no longer be an afterthought.
2. Threat intelligence sharing is crucial. The industry’s challenges in the ability to share threat information are a key contributor to the escalating amount of breaches that have been experienced in the past few years. This is a recurring theme and was also a key finding in CyberRX 2014. While aware of the problem, the industry has not overcome it. As leaders, we must work together to come up with valid solutions to combat the reluctance and inability to share information. We cannot sit passive and solely rely on the public sector or our vendors to solve this problem.
3. Understand your cyber liability insurance. This is a new industry for all players across the board, regardless of sector. Carriers have very specific requirements on how to engage third parties throughout the response process. They also have detailed procedures on how to file claims and distinct parameters for coverage. Trying to figure out how to navigate through the complexities could lead to delays in coverage, potential denials and additional overall costs.
4. If you have an incident response plan, use it. If you don’t, build one and exercise it. The findings noted that only two out of twelve organizations utilized their incident response plans during the exercise. The time and effort to build these plans is not insignificant and extremely valuable. Incident response plans should be exercised via table tops or drills on a regular basis. Similar to in sports, more exercises translate to better performance. That being said, the pressures that come along with incident response make the process prone to mistakes and deviations. A well-formed plan will provide a level of regimen which will ensure effectiveness and reduce the risk of mistakes.
5. Ensure the response plan includes a thorough communication plan. The plan should include parameters of when to engage the insurance carrier, the legal department, the board, external affairs, all staff and law enforcement. The timing for each level of communication is crucial to the overall management and containment of the incident. Include specifics on assessing and engaging vehicles of communication in the incident response plan.

Anahi Santiago is Chief Information Security Officer at Christiana Care Health System, one of the country’s largest health care providers. She is a member of several Information Security and Privacy organizations and a nationally recognized speaker on Information Security and Privacy.