HSCC releases Operational Continuity Cyber Incident checklist for health sector

The Healthcare and Public Health Sector Coordinating Council (HSCC) has released a checklist that provides the healthcare sector with a flexible template for operational staff and executive management to refer to when responding to extended outages brought on by cyberattacks. 

“Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity and capabilities,” the HSCC said in its document titled ‘Operational Continuity-Cyber Incident (OCCI).’ It represents the best collective thinking of private-sector cybersecurity and emergency management executives of the HSCC Incident Response/Business Continuity (IRBC) Task Group of the Health Sector Coordinating Council’s Cybersecurity Working Group (CWG). It is also not associated in any way with any regulatory compliance program.

HSCC has organized the checklist into role-based modules aligned with the incident command system. As enterprises manage their cybersecurity and emergency management roles with varying structures, the checklist “attempts to generalize as much as possible to scale and align with those variations. Users will naturally tailor this checklist to fit their specific organizational structures or may adopt some of the recommendations as new additions to their operating procedures,” it added.

The document identifies that as the IRBC Task Group was being stood up, it was clear that geopolitical tensions from the Ukraine-Russia conflict were introducing a higher threat level to the health sector, calling for heightened awareness and immediate preparations against potential disruptions to healthcare delivery. “Accordingly, through the IRBC TG, the HSCC created this tactical checklist with an accelerated development cycle to anticipate the potential for an extended outage in the event of direct cyber-attacks or collateral fallout and put it into the hands of our stakeholders as quickly as possible. This is a living document that can be refined using stakeholder feedback with operational experience,” it added.

Following assessment by CIO, CISO, and senior leadership, the incident command may be activated, the document said. The threshold for activation could be a prolonged massive disruption that meets or has the potential to meet patient safety and/or member service impacts, large-scale clinical workflow, patient care, and/or member service impacts, and implementation of preventative defenses that could impact clinical workflow, it added.

The document also calls for a Medical-Technical Specialist or a subject matter expert, who advises the incident commander or section chief on issues related to response, provides understanding, and communicates specific impact and recommendations given their area of expertise. 

The new HSCC document also assesses impacts on materials management and ordering processes. It analyzes the implementation of manual inventory and ordering processes for supply chain management and the fulfillment of a manual process for distribution, supply chain, and redistribution of clinical and operational supplies. It also ensures the availability of durable medical equipment and availability of oxygen.

The Operational Continuity Cyber Incident document comes close to the release of a ‘Model Contract Language’ by the HSCC that provides a reference for shared cooperation and coordination between healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs). Additionally, the U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency released its draft guidance that provides recommendations regarding cybersecurity device design, labeling, and documentation, which the agency recommends to be included in premarket submissions for devices with cybersecurity risks.

The health sector has directly faced various cybersecurity incidents, which have often rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities both in the U.S. and globally. 

The WannaCry ransomware affected organizations in the health sector and medical devices across the globe. Vulnerabilities identified in commonly used third-party components, like URGENT/11 and SweynTooth, have led to potential safety concerns. Last year’s ransomware attack on a German hospital highlighted delayed patient care when a cyberattack forced patients to be diverted to another hospital. The sector was also called upon to take immediate action to protect against Log4j exploitation. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI updated their February advisory on destructive malware targeting organizations in Ukraine to include additional indicators of compromise (IOCs). In addition, they encouraged U.S. organizations to take specific actions to monitor and protect their networks.

Following the advisory from the U.S. security agencies, the American Hospital Association (AHA) called upon agencies in the health sector to update technical signatures of destructive malware and adopt additional defensive actions. 

“This advisory provides additional IOCs for the WhisperGate malware, first discovered on Ukrainian networks in January 2022. Although the malware poses as ransomware, it actually destroys the data making it unrecoverable,” John Riggi, AHA’s national advisor for cybersecurity and risk, said in a media statement. 

“Our ongoing concern is that U.S. hospitals and health systems, or one of our mission-critical service providers, become collateral damage in a destructive malware attack targeted against Ukraine,” according to Riggi. “It is strongly recommended that all heightened defensive measures remain in place and cross-function cyber incident response plans, downtime procedures and backups be tested,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.