In response to cyber-attacks against a healthcare organization, a primary objective of this plan is to protect data, reduce costs, limit damages, improve recovery, and perform digital forensics to understand the attack.

Through this plan, the healthcare organization will prepare, analyze, contain, eradicate, recover, report, and test the resolved incident solution. When this incident response is completed an audit of the impacted resources and recovered information will be provided in an inventory.

Preparation

For the incident response, replication of the incident in an offline media format will be drawn from the remaining uncorrupted media to create a replicable environment for analysis and digital forensics.

A team of stakeholders from the healthcare organization in addition to information technology (IT) professionals will work through the extracted computer system, replicating the preserved system offline through imaging to understand the effects and impact.

As the snapshots of the environment are being preserved, the environment will be isolated and recovered to maintain the continuity that was disturbed due to the damages. Measures to enhance the system will be rolled out as the system is restarted adding steps to access. Flaws and systems with known vulnerabilities will remain unavailable until the vulnerabilities are resolved.

Business Impact Analysis (BIA)

Through the analysis process the logs within the system, missing data, and infrastructure integrity will be audited. In review of the system, the pattern of attack and an audit to understand the depth of the breach will be mapped out.

The imaging used to replicate this environment will follow the chain of custody to preserve the integrity of the information, in addition to providing any information required to law enforcement. This archive will provide clear timelines and historical references to the incident in a sandbox-able environment throughout time.

When evaluating the impacted resources, the amount of data exposed, and the quantified cost of the breach based on the risk, the healthcare organization will determine the total loss of the attack. From Protected Health Information (PHI) to Personally Identifiable Information (PII) and service interruptions that could have impacted patients, the cost that could be incurred in damages and the actual value of the information will be attribute to the total cost for insurance and documentation.

Response

In response to the security incident the IT team will use the output of the analysis to remediate and patch any affected systems. The markers drawn from the analysis and forensics will enhance the capability of the IT team to work through remediation.

Once the systems are repaired and the offline systems have been restored, they will be tested to assure they effectively have resolved the vulnerabilities and will become available with increased monitoring and support.

BCP/DR

Business Continuity Planning (BCP) and Disaster Recovery (DR) will support the outcome of this recovery as the operational components of the healthcare organization are preexisting and will rotate into supporting this plan. As the initial response ensues, the BCP/DR team will work with the information technology team to isolate impacted resources and secure affected infrastructure.

Prioritization

In the incident, the priority will be to preserve the affected infrastructure, isolating the attacked instances, and imaging these resources for further analysis, while removing access to the infrastructure, to mitigate the continuing threat.

As the processes are isolated, restoring any possible functionality that is available will help support the BCP. Alternatively resources can be spun up to keep the processes up to demand, if resources in identity management and data need to be migrated, this process can support seeding new resources to fill the operational gap.

Once the incident has been isolated, mitigated, analyzed, and repaired the communications can be released to inform users and patients about the potential impacts.

Through this process the CEO, COO, and CISO will be continuously informed. As the CTO, Security Manager, and IT team works to clone and restore the assets, the communications team will begin drafting the statements.

In this event the Computer Security Incident Response Team (CSIRT) team of the security manager, two security engineers, and two security analysts will support the organization, if more hands are required the IT will support under the CSIRT teams guidance.

Communication & Report

A press kit will be assembled for the healthcare organization that needs to be approved by the internal stakeholders including the CEO, COO, and CISO. This information will be released in addition to the outward report of the breach, the impacts, and the contact information to support account recovery.

Engineering resilience, security, and future-ready software architecture. Follow on X, GitHub, and LinkedIn, and visit https://joealongi.dev/.