Six Critical Elements of a Strong Cybersecurity Incident Response Plan for Healthcare Practices
For those who were affected by the recent CrowdStrike outage, it’s hard to identify any positives right now. But there is one: It has hopefully helped those medical practices who aren’t taking cybersecurity seriously realize exactly how vulnerable they are to attack—and how astronomical the damage of an attack could be. [1]
The CrowdStrike event was, thankfully, not the result of a malicious attack, but it showed us all how widespread the impact of one would be. While the exact cost of this event on medical practices won’t be realized for quite some time, we do know that other malicious attacks have cost medical organizations billions of dollars. [2]
In most cases, the cost of an attack rises the longer it takes victims to respond. That’s why it’s frankly alarming that Software Advice’s 2024 Healthcare Data Security Survey* identified over a third of medical practices who do not have—or are not aware of having—a cybersecurity incident response plan in place.
If your practice is among them, you absolutely must start working today to build a response plan.
Why cybersecurity is especially important for healthcare providers
Our recent research shows that the majority of medical practices do have a response plan in place, but that number is not as high as it should be.
These practices are leaving themselves extremely vulnerable to loss of patient data, HIPAA violations, hefty fines, and even lawsuits from patients in the event of a cyber attack.
Personal health information (PHI) is protected by HIPAA, meaning the loss of patient records can result in loss of accreditation and incur extra fines on top of any other amount practices have to pay in order to recover stolen data in the event of a ransomware attack.
Besides the loss of PHI, a cyberattack on a medical organization is particularly devastating for several reasons (which we’ll cover in detail), making it even worse than similar incidents against non-medical businesses. Medical practices that suffer cyber incidents are extremely likely to see damage to the following:
Patient care: If digital systems go down, providers will be unable to access patient records or diagnostic tools. Meaning patients who require immediate care will not be able to receive it. According to our survey, 59% of practices in our survey who suffered a ransomware attack say it did have an impact on patient care.
Finances: The actual cost of a cyberattack in healthcare is often higher due to the need for specialized forensic investigations, legal fees, regulatory fines, and the implementation of enhanced security measures to prevent future attacks.
Reputation: Patients who see their personal data lost or stolen in a cyberattack will lose trust in their healthcare providers, resulting in patients looking elsewhere for care and leaving a mark on the provider’s reputation.
Unfortunately, the things that make a data breach so much worse for medical organizations than other types of businesses also make these healthcare organizations a high-value target for cybercriminals, who know that these victims will be even more motivated to pay ransoms to recover stolen data.
Given all of this information, it should be abundantly clear that medical practices of every size and specialty should have robust cybersecurity in place—and that includes a well-developed cybersecurity incident response plan. It’s a plan you create with input from your team of IT professionals and compliance officers that outlines exactly what steps to take in the event of any cybersecurity breach.
As complex as the requirements for data protection in healthcare are, it’s important to understand that it takes time, intention, and effort to produce a thorough incident response plan. In this article, we’ll outline what that process should look like.
6 key elements of a cybersecurity incident response plan
We asked respondents in our survey who do have a cybersecurity incident response plan in place what elements they have included in their plan. Using that information, here’s a breakdown of what you should consider when developing your own cybersecurity response plan.
1. Preparation
Start before the cyberattack even takes place by conducting a thorough risk assessment to identify potential vulnerabilities and threats specific to your medical practice. A good place to start is by creating an Incident Response Team (IRT) made up of stakeholders with defined roles and responsibilities. This team should include IT staff, security experts, legal advisors, and key decision-makers.
You’ll also want to make sure you’re regularly training your staff on this response plan once you have established all of the elements.
2. Identification
Have your IRT come up with a clear definition of a cybersecurity incident that accounts for different variables and methods of breach. This will likely involve a classification system to help quickly identify when something is happening and assess the severity of a cyber incident.
From here, you can invest in monitoring and detection tools to help flag potential security incidents quickly. These could include network monitoring systems like intrusion detection systems (IDS), security information and event management (SIEM) systems, and endpoint detection and response (EDR) solutions.
3. Containment, eradication, and recovery
Once a cyber incident has been identified, you’ll want to have clearly outlined steps for containing the data breach in order to prevent further damage. This could mean isolating affected systems, disabling compromised accounts, or blocking malicious IP addresses.
Next, you’ll need to find the root cause of the incident by figuring out how the breach occurred and what vulnerabilities were exploited. You’ll then need to ensure all malicious software and compromised files are completely removed so you can safely restore your affected systems. Use clean data backups to bring systems back online to their pre-incident state and then thoroughly vet the integrity of the restored data.
4. Communication
Prepare communication protocols for both internal and external strategies. Figure out how you’ll inform your employees and make sure they know how to speak about the event to the media or patients. You’ll also want to develop a plan for reporting the incident to external parties, such as patients and regulatory bodies—making sure you’re being transparent and compliant with legal and regulatory requirements for breach notification.
5. Documentation and reporting
Designate someone on your IRT to maintain a detailed log of all actions taken during the incident response process, including timelines, decisions made, and communications. Use this log to create a post-incident report that details the nature of the breach, the response actions taken, and the impact on your practice.
Have someone on your team be responsible for complying with regulatory requirements when it comes to reporting incidents, and be sure you follow all protocols to minimize the legal damage.
6. Post-incident review and continued improvement
Once the threat has been neutralized, have your team conduct a debriefing session where you review the incident and the effectiveness of your response. Identify areas for improvement and update your cybersecurity incident response plan as necessary.
Software will play a critical role in your cybersecurity
We’ve already mentioned a few monitoring and reporting tools you should have in place to identify a cyber incident immediately, but that’s hardly an exhaustive list of all the technology available to help keep your practice safe from cyberthreats.
There are security tools like two-factor authentication (2FA), which our survey found that 89% of practices are using to protect their systems.
Other popular systems include email security, firewalls, antivirus software, data backups, and password managers.
You may not necessarily require every single one of these software tools to protect your practice, but you will definitely want to select and implement a few of them to keep your practice and your patients safe from cyberthreats.
To learn more about any of these security tools, you can use our FrontRunners to research cybersecurity software vendors or speak directly to an advisor to learn about all of the options available to you today.
Survey methodology
*Software Advice’s 2024 Medical Cybersecurity Survey was conducted online in March among 296 respondents working at healthcare organizations in the U.S. to learn how medical practices are fighting back against cyber threats.
Respondents were screened to have IT management, data security, data management, or security training or audit responsibilities. Organizations that outsource 100% of their IT management or cybersecurity needs were excluded from participating.