In both cybersecurity and patient care, seconds matter, especially in an emergency. Just like doctors and nurses move fast when a patient’s life is on the line, cybersecurity teams have to act quickly to stop threats before they get out of hand. That’s why being fast, precise, and prepared matters as much in the SOC as it does in the ER.

When systems go down or are inaccessible, treatment gets delayed, leading to potentially life-threatening consequences. The entire community can be affected as patients are diverted to facilities that may not be nearby or lack the necessary resources to handle the surge. And then there are the costs associated with downtime: On average, downtime caused by ransomware attacks costs U.S. healthcare systems almost $2 million per day.

The accelerating rate of attacks means healthcare organizations must respond faster when they occur. There are two critical levers to achieve this: planning and precision.

Plan for the worst to respond at your best

When it comes to cybersecurity, it’s smart to plan for the worst. The more you plan for something bad to happen, the more equipped you are to respond. As we often say, the question is not if, but when. 

When an attack or other issue does occur, the main difference between being down for months versus minutes or a day is having a mature and tested incident response plan. Without an IR plan, your cybersecurity team is flying blind, resulting in confusion and inefficiency that significantly slows your response time.

Critical elements of a strong response plan include:

  • Documenting clear roles and contact information. You should know who to call and have their contact information stored in a way that’s accessible even if systems aren’t. (This includes contact information for your cyber insurance carrier, who should also be alerted right away.) Everyone responsible for cybersecurity should be aware of the actions to take in various scenarios.
  • Prioritizing system shutdown and recovery steps. Have a plan for isolating system components in a controlled manner to minimize damage and maintain essential functions. This will help minimize threats and speed up recovery efforts.
  • Maintaining immutable, segmented backups. Because data is stored in a read-only format, immutable backups are tamper-proof. Segmenting backups facilitates faster restoration by dividing large amounts of data into smaller, more manageable files.
  • Conducting regular tabletop exercises. Just having a plan on paper isn’t enough, you’ve got to put it into action to find any gaps or other issues. Documenting and creating action items from the lessons learned is critical.

Just like healthcare professionals are trained to respond to medical crises, IT teams should be trained for cybersecurity threats in advance, not left to figure out what to do during a crisis.

Fine-tune technology to filter out noise

When security tools flood teams with hundreds of alerts every day, it’s easy to miss the one that really matters. A lot of those alerts turn out to be false alarms, eating up time and resources that could be better spent stopping real threats.

When detection tools are tuned to recognize genuine issues, alerts are more trustworthy and inspire immediate action. Security information and event management (SIEM) and endpoint detection and response (EDR) platforms can be configured for improved accuracy, enabling teams to prioritize alerts and investigation processes that optimize response times.

Implementing these tweaks can be difficult for internal teams to manage on top of their regular responsibilities. In fact, many healthcare organizations struggle with designing and applying the framework I’ve outlined here, given that they may have only one or two people dedicated to cybersecurity.

One solution is to outsource implementation, management, and monitoring to a cybersecurity partner with expertise in the unique needs and nuances of a healthcare environment, as well as familiarity with its specific systems and equipment, such as EHR platforms, PACS, and Pyxis machines. They can implement and oversee cybersecurity initiatives without the distractions of everyday operations or internal projects, enabling them to act on threats immediately.

Building a foundation for rapid response

Whether outsourcing cybersecurity planning and tasks or keeping them in-house, healthcare organizations should prioritize certain baseline technical capabilities. Conducting an asset inventory helps document every component of the network infrastructure, ensuring that things like vulnerability scanning for gaps and weaknesses provide complete visibility.

In terms of software solutions, endpoint detection and response are critical. Beyond phones and notebooks, healthcare environments are filled with connected devices like infusion pumps, MRI machines, smart hospital beds, and PACS systems that serve as gateways for cyberattacks.  Security information and event management (SIEM) platforms use advanced analytics and AI capabilities to identify unusual activity and other signs of threats, enabling teams to detect and address incidents quickly.

It goes without saying that healthcare organizations must continue to mature their patch management processes to keep up with the ever-changing threat landscape. Regular user education is also essential to train staff to recognize phishing attempts and other scams to gain access to credentials, especially since healthcare professionals are often working in fast-paced, high-pressure situations where cybersecurity concerns and practices can easily be forgotten.

Finally, you can’t improve cybersecurity response time without measuring the effectiveness of your plan. Regularly testing and evaluating processes with drills and other exercises can help organizations to identify and address issues that are causing delays or confusion. This is especially critical in a landscape where threats and technologies are constantly changing.

Fast response doesn’t happen through luck: it’s planned

Reducing response times requires more than technology.  It requires smart, proactive planning for incident response and recovery; fine-tuning technologies to optimize alerts, and fortifying foundational capabilities with asset inventories, vulnerability scanning, endpoint defense, and security training. For many organizations, outsourcing cybersecurity to a qualified partner can reduce the burden on internal resources.

In an environment where healthcare systems are increasingly popular targets for cyberattacks, it’s imperative that organizations can respond quickly and comprehensively. Preparation and precision protect more than data and money — they help save lives.

Photo: boonchai wedmakawand, Getty Images


Preston Duren is Vice President of Threat Services at Fortified Health Security
and brings 16 years of IT/security expertise to his role as VP of Threat Defense Services at Fortified. His experience spans threat and vulnerability management, security engineering, security program development, digital forensics, and SOC. Previous roles include engineering/architecture at Community Health Systems & Information Security Officer at RCCH Health.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Similar Posts