Prepare For a Cyber Breach with These Tips from HIROC’s Cyber Forum

Gillian Brandon-Hart
Image reading "Prepare For a Cyber Breach with These Tips from HIROC’s Cyber Forum" featuring speaker headshots

Among the many speakers at the cybersecurity forum were Kopiha Nathan, Privacy and Compliance Lead, HIROC; Ira Parghi, Partner, INQ Law; Imran Ahmad, Head of Technology, Co-Head of Information Governance, Privacy and Cybersecurity, Norton Rose Fulbright Canada LLP; Jonathan Bracamonte, Lead, Product Development, HIROC; and Jason Marilla, VP Operations, InCyber.

The healthcare sector is increasingly seen as a target for cyber-attacks for a variety of reasons, such as the large volumes of sensitive data healthcare organizations have. One thing is clear, when criminals strike, the after-effects of an attack reverberate far and wide across an organization.

As a proactive partner for a safer healthcare system, HIROC hosted our Shared Experiences: Cyber Preparedness in Healthcare workshop for Subscribers on Nov. 2. Featuring numerous experts from across the healthcare, cybersecurity, and insurance sectors, the event was a huge success and provided relevant and timely insights to help Subscribers prepare for a cyber breach.

While there were many great takeaways, here’s a few we found valuable to share.

Practice your cyber incident response with a tabletop exercise


A tabletop exercise is an effective way to practice a realistic cyber breach scenario to help your team prepare and identify any issues or weaknesses proactively. Tabletop exercises are very important and should involve all individuals on your incident response team (and backups for each member of this team), including, but not limited to, senior management, communications, and your breach coach.

Your tabletop exercise can be used to review, validate, or test these important components: 

  • Incident Response Plans
  • crisis communications plan
  • engagement of backup systems 
  • downtime plans for when your systems are offline or compromised  
  • operational continuity and recovery processes
  • assignment of responsibilities to specific individuals

During your tabletop exercise, you should also revisit how third-party vendors access your systems and recognize which external partners can help you during a breach.

It is also critical to note the difference between OT (operational technology) and IT (information technology) assets and include steps for dealing with both kinds of breaches. An IT asset could be a computer or other general equipment that is generic and available off-the-shelf, while an OT asset covers the availability and integrity of the equipment, such as specialized programs or other customizations.

Check out HIROC's Tabletop Guide

Implement effective backup systems


Ensuring you have tested backup systems in place is critical. Some key questions to consider include:

  • How often do you backup data, network, and systems?
  • Are your regular backups disconnected from and inaccessible through the organization’s network (e.g., segmented)?
  • Are your recovery processes validated through data recovery drills?
  • Are regular backups subject to virus/malware scanning?
  • Are all your backups in one location? If not, do you have inventory of all your data backups and locations (e.g., cloud, on-prem, tapes, etc.)?
  • Are your backups encrypted?

It is also recommended that you adopt, if you haven’t already, multi-factor authentication on your backup systems and know the recovery time and recovery point objectives (how soon you can recover systems/data and how far back your recovered data goes).

Unfortunately, the impact of a cyber breach can be lengthy, with four weeks considered the bare minimum for how quickly a cyber breach can be resolved—often it takes longer. Ask yourself what two to six weeks without access to your standard computer systems looks like, and prepare for offline processes to use during this downtime that can keep your critical functions operational. It is also useful to define what exactly containment looks like for your organization.

Create response plans for both internal and external breach scenarios


Another critical component of preparing for a cyber breach incident is planning for both internal and external breach scenarios. An internal breach is one that happens to your organization directly and affects your systems, while an external breach is when a third-party service provider, vendor, or partner you work with that stores or has access to your data is affected. Having a plan can improve your response time, mitigate the impact on your organization, and improve the effectiveness of your response.

External breaches of third-party vendors are the hardest to handle because they do not occur in your environment, so you have less control over them and more reliance on the vendor giving you all relevant information. Review your contracts with all the service providers, vendors, and partners you work with, and make sure they are clear the vendor must notify you within a set number of hours after discovering a breach or potential breach, cooperate with you and provide you necessary information to support investigations, and compensate for costs and losses incurred as a result of the breach or investigation.

Plans for internal and external breach scenarios should involve dedicated incident response teams, communications plans, data mapping so you know where your data is kept, and a focus on serving key stakeholders first (but anticipate every communication going public or to media).

Recognize red flags to watch for and tips to avoid a breach


Most often, cyber breaches result from successful phishing attacks. Red flags to watch for can help you avoid a cyber breach phishing threat.

Red flags in messages include:

  • spelling and grammar errors
  • unknown senders
  • suspicious domains
  • unknown vendor invoice attachments 
  • suspicious hyperlinks
  • generic signatures
  • known vendors/contacts with compromised email systems sending suspicious links/attachments

As hackers are becoming more sophisticated, there are more cases where none of these red flags are present. The biggest red flags to watch for here are requests to change bank account information. Watch for changes to payment frequency, incomplete or incorrect details on void checks, the transit number being different than bank confirmation letter, and suspicious-looking bank confirmation letters. If you receive a message with any of these red flags, validate the change request by calling the vendor or sender and speaking directly to someone you know.

However, there are tips you can use to avoid cyber breaches such as:

  • training staff on phishing attacks
  • fostering a culture where employees feel like they can report it if they think they clicked on something suspicious rather than being punished
  • rolling out software updates and patches
  • creating incident response plans with tabletop exercises
  • being aware of your IT assets and their risks and your third-party vendor relationships

Despite the increase in cyber-attacks on healthcare organizations, there are steps you can take to identify risks and prepare ahead of time.

As a reminder to those who attended this cyber workshop, you can log back in to the hopin platform and watch all the sessions for 57 more days.

If you have any questions, reach out to us anytime at inquiries@hiroc.com.

 

By Gillian Brandon-Hart, Communications & Marketing Specialist, HIROC