Incident Response for Health Care IT: Differences and Drivers


Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.

Some other noteworthy attack methods are:

  • Business email compromise
  • Vulnerability exploitation
  • Server access
  • Credential harvesting
  • Misconfigurations
  • Phishing
  • Stolen credentials.

These methods should not shock readers; many of them are responsible for most cybersecurity incidents. But what makes the health care industry different? Specifically, what are the unique challenges the industry faces?

Unique Needs for the Health Care Industry

Health care attacks are particularly expensive for the victim. However, the consequences go far beyond cost. Health care organizations are particularly at risk because of: 

  • The need for a fast response
  • Types of data handled
  • Types of devices used and service delivery methods
  • Investment, awareness and business drivers.

As with everyday operations, knowing your risk tolerance is vital to successful decision-making and execution. With lives at stake, risk tolerance could be expected to be low, but attacks keep happening and they are successful. Many of the health care industry’s unique challenges are, in fact, non-technical. Let’s take a look. 

Need for Speed

A perfect example related to preparedness comes out of an Immersive Labs study, the Cyber Workforce Benchmark 2022. The study found health care lags far behind in cyber crisis exercises versus other industries. Tech companies might hold up to nine exercises a year. In health care, there are often only two. The gap is wide and the results reinforce that: the health care industry had some of the poorest tabletop scores.

Simply having an incident response plan is not enough. Testing and training are essential, too. When you stress test the plan, stakeholders know what is expected of them during a crisis. Finding gaps and building mental muscle memory is crucial.

Why? Loss of service may directly result in loss of life. A health care provider cut off from offering acute or ambulatory care has lives on the line. Recovery point and time objectives – critical outcomes and data points of business continuity and disaster recovery planning – need to align with operational expectations. In this case, that means the time it takes to save a life.  

Therefore, not only do incident responses in health care have less time to respond, they may need different types of process requirements, such as shutting down primary systems as a precautionary measure. They also might require other contingencies, such as operating a backup system as a temporary production environment until the threat has been contained and eradicated. A Ponemon study found that 71% of 597 health delivery organizations said a successful cyberattack resulted in a longer patient stay. The costs are real.

Data Handling

Health care data carries a different level of data sensitivity. It’s full of personally identifiable information (PII) and personal health information (PHI), which is becoming all the more detailed and personal with biometric technologies on the rise.

Depending on where in the world you operate, you may have different legal or regulatory requirements for data handling and incident reporting or disclosures. It’s also important to define whether you’re simply handling an incident or whether you have been breached, as the latter has legal implications. Do not underestimate the importance of strong and clear definitions as part of your program governance. A strong privacy program can also bolster your security program, as they work well together.

Ensuring that incident responders are well aware of these requirements is essential. Your security planners need to know where your data is and how it is tagged. If your organization does suffer an incident, you do not want to be running around trying to figure out what types of data have been impacted. As incident responders put out the fire, rest assured that the lawyers are thinking about disclosure requirements and the possible lawsuit.

Devices Used and Service Delivery Methods

Medical internet of things devices come with perils. After all, it’s not only the device but the medium of delivery that matters. Think of how much PHI is floating over telehealth platforms now. Not only do incident responders have to contain and eradicate an event or incident, but each issue will also need a definitive tie-off because of the PII or PHI implications (regardless of severity). And when they are not doing that, they are probably trying to patch up and upgrade systems across disparate devices, operation systems and applications!

Investment, Awareness and Business Drivers

While health care organizations aren’t always entirely profit-driven, they still need to be concerned about money. According to the Threat Intelligence Index, three industries account for nearly 60% of cyberattacks: manufacturing, finance and insurance, and professional and business services. The important connection here between these industries and the health care industry is business drivers.

The first three are very much profit-driven, making them attractive targets for malicious actors. Being profit-driven also shifts priorities. If successful, it allows for more resources to be invested in information, infrastructure, security and privacy measures.

Some sectors of the health care industry are very profit-driven, too. However, their situation is not nearly as clear-cut, or across the board, as the others. For example, companies focused on research and development (such as the pharmaceutical industry) are very profit-driven, and more specifically, product-driven. They want to protect their intellectual property.

Other health care organizations have an element of profit but are in general more service-driven. (Think of those administering care). These industries face staff burnout and limited resources. Incident response handling and preparedness can make a world of a difference in someone’s life.

Keeping Manageability and Emotions in Check

Perhaps the most unique challenge for incident responders in health care is the small margin of error. Next-generation technologies, such as artificial intelligence and improved monitoring capabilities should definitely be examined and integrated where possible. They could lighten the load of incident response staff through automated response and orchestration.

Because of the small margin of error, health care providers need to look closely at their overall resilience posture. It’s about more than just an incident response plan. It is crisis communications, input and collaboration from legal, and practice to build up the response muscles. Attacking health care services gives threat actors a chance to use one of their favorite tactics: preying on emotions. If you are calm and cool in your response, well-resourced and prepared, an attacker may just find you are not worth their time.

The post Incident Response for Health Care IT: Differences and Drivers appeared first on Security Intelligence.