Analysis
Attacks and Vulnerabilities
Medical
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape

New HIC-CHIRP document provides template to assist healthcare organizations in cyber incident response planning

July 12, 2023
New HIC-CHIRP document provides template to assist healthcare organizations in cyber incident response planning

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has published a template document called ‘Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP),’ with material for the technical response process to a cybersecurity incident. These plans and templates provide universal guidance on detecting, containing, responding, and recovering from cybersecurity incidents across industries is provided through templates without replicating or replacing existing resources.

The HSCC document aims to promote a coordinated response to disruptive cyberattacks affecting interconnected systems and networks. It outlines a process for addressing cybersecurity incidents affecting patients, staff, visitors, or others. The plan integrates with other organizational plans, such as cybersecurity incident response plans, cybersecurity playbooks, disaster recovery plans, hospital incident command procedures, business continuity plans, emergency management plans, and downtime procedures. It is not intended to replace or circumvent other detailed plans, and more detailed subject area plans should be deferred when appropriate.

“Healthcare Delivery Organizations have many of the parts and pieces needed to respond to a cybersecurity incident but guidance is missing on how to tie all of these separate components together,” the HSCC wrote in the document. The template seeks to serve as the cog that can be installed in the machine to allow all of the components to run together as a Coordinated Healthcare Incident Response Plan. This document is a template. It is not intended to be directly usable to manage a response as-is.” 

The HIC-CHIRP document said that sample content is provided throughout the template as a starting point, but it is expected that managers of this tool will use it as a guiding document to develop a plan tailored to their own organization. “Plan guidance is included to help managers of the tool understand the purpose of each section while conducting this planning work. Plan guidance sections are formatted differently from template material for clarity and to allow enterprises to easily remove these sections in their final plan,” it added.

The HIC-CHIRP document is also a planning companion to the operational and response guidance of the Health Industry Cybersecurity Operational Continuity -Cyber Incident (HIC-OCCI), released in May. All incident response plans should be developed with appropriate consultation with all essential stakeholders both within and outside of the organization, consistent with enterprise policies and legal and compliance requirements. 

“To ensure the accuracy and operationality of this plan, it should be exercised, and evaluated on a regular basis. Exercises should be driven by measurable objectives and can be completed at the team, department, or facility level,” according to the HSCC document. “Examples of exercises could include workshops, tabletop exercises, simulation drills, or functional/full scale exercises. A debrief or after-action review should be completed post-exercise in which opportunities and action items are identified to ensure ongoing maturity and continuous improvement of response processes and this plan for business sustainability.”

Furthermore, the plan should be reviewed on an annual basis or after a response to any cybersecurity incidents or material changes to organizational structures or associated detailed plans. 

The plan is organized by subject area rather than organizational department, allowing for more direct responsibility mapping. “Based on the size and structure of an organization, multiple subject area responsibilities maybe shared by a single group or individual or an individual subject area may spread across multiple groups. An organization may choose to condense or expand this plan to match its organizational structure if a more direct responsibility mapping is desired,” the HIC-CHIRP document added.

The high-level milestone activities are recorded for each subject area with the expectation that detailed activities are recorded in respective plans (i.e., cybersecurity incident response plan and playbooks, breach response plan, downtime procedures, organizational policies, standard procedures, and hospital incident command plans). 

The HIC-CHIRP document said that subject areas should not advance to milestone activities in further rows until the milestones from other subject areas are also completed and the areas have synchronized. “This approach prevents unnecessary linear blocking of timely activities while also reducing risk of adverse effects from taking some actions too soon. An organization should review the milestones below and carry out a comparative analysis of internal individual detailed plans and tailor the Coordinated Response Plan as appropriate for their own organization.”

The ‘Plan Guidance’ section sets forth the process and criteria for identifying a cybersecurity incident as appropriate for the activation of the coordinated response plan. The document provides example roles, responsibilities, and decision authority as well as criteria to support the decision. These roles and associated criteria should be tailored based on organizational structure and risk tolerances to business disruption. Additionally, secondary contact information not reliant on any internal systems should be identified for each role in the event that communication systems are impacted

Cybersecurity incidents can vary in size and scope. The HIC-CHIRP plan is intended to be implemented following a disruptive cybersecurity event that results in a business interruption or disturbance in which downtime or continuity plans are implemented. 

The HIC-CHIRP document outlines criteria to be considered when evaluating a cybersecurity incident for coordinated response plan activation. These include a disruptive cybersecurity attack where business-critical information systems are unavailable, a disruptive cybersecurity attack where a significant portion of endpoints (desktops/laptops/mobile devices) are unavailable, and a disruptive cybersecurity attack on non-business-critical systems with significant potential to spread to business-critical information systems. 

It also adds a substantiated immediate threat of disruptive cybersecurity attack with significant potential to impact business-critical information systems or a large portion of endpoints, and a data theft cybersecurity attack that warrants disruptive responsive actions to contain and/or mitigate the attack that will impact business-critical information systems or a large portion of endpoints. 

Operating in phases, allowing parallel work to occur for timeliness while also ensuring certain activities are serialized to avoid increased risks, is a key concept behind the coordinated response plan. Before moving from one phase to the next, it is important to synchronize across the subject areas to ensure all phase activities are complete and transfer necessary knowledge to enable activities in the next phase. 

“Synchronization within phases is also beneficial to reduce uncoordinated information gathering and speed identification and resolution of roadblocks to recovery. The most effective way to facilitate the synchronization across subject matter areas is through the use of a command center structure,” according to the HIC-CHIRP document. “An organization may already have a command structure and cadence defined in Emergency Management or Hospital Incident Command plans which could be referenced here, but organizations should validate those plans appropriately provide coverage for the subject domains involved in a cyber event.” 

It added that for a smaller organization, a single command center might be appropriate to cover all subject areas. In a larger organization, dedicated command centers allow for more focused sessions with less risk of distractions. 

The HIC-CHIRP document identifies that communications are essential to keeping various teams aware and updated of incident actions. “A collaborative and multi-disciplinary communication strategy should be developed prior to an incident. The communication strategy should include when specific notifications should occur and the responsible parties for providing that communication.”

It added that pre-identifying a responsible party for each contact avoids omitting a contact or duplicating efforts. “An organization should review the table for relevancy, remove or add external entities as appropriate, and update contact and responsible party information. A primary and secondary responsible party being named is recommended. The roles found here are suggested recommendations and should be updated according to organizational structure and responsibilities.”

The document also covered that targeted containment strategies (i.e.,disconnecting an infected host from the network or disabling a compromised account) should be included in detailed cybersecurity response plans and playbooks, but during a disruptive cybersecurity incident more holistic broad scale containment strategies may be required. 

In the event of an extortion-based attack, it may be necessary to make timely and difficult decisions, the HIC-CHIRP document said. Conversations at the executive leadership level should be conducted before an event to discuss and define an extortion strategy. During an incident, certain items should be considered in acting on the extortion philosophy. These include the level of confidence in encryption keys, status of usable back ups, scope/impact of the cybersecurity attack, level of downtime maturity and downtime processes for hospital/health system, and anticipated recovery timeline. 

Implementing a well-defined incident response plan is crucial for accurately locating issues and efficiently recovering the system, Jonathon Gordon, directing analyst at Takepoint Research, wrote in the ‘Industrial Cybersecurity Technology, Solutions & Services – Buyer’s Guide 2023.’ “Industrial incident responses must include proactive elements, such as planning, incident prevention, and post-incident analysis/forensics, alongside reactive elements, which focus on detecting and managing an incident,” he added.

Last November, not-for-profit organization MITRE released a playbook providing practical considerations to address medical device cybersecurity incidents, revised this year. Featuring tools, techniques, and resources, the playbook outlines a framework for healthcare delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure the effectiveness of devices, and protect patient safety.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights