Background on Incident Response During Coronavirus Pandemic
The coronavirus pandemic has pushed many healthcare organizations to allow an increased number to shift to a remote workforce environment. For many of these individuals this is a new concept. The employees working remotely during coronavirus are likely non-clinical staff including back-office operations such as patient accounting, procurement, and the information technology staff. This upending of normal operations was necessary to limit the rate of community spread by reducing personal contact. Unfortunately, hospitals, ambulatory centers, and supporting vendors likely did not anticipate this new paradigm would come about so rapidly and have not considered the implications of a remote workforce to their incident response plans.
This change creates a vulnerability – one that is being exploited by hackers and nation-state actors who have stepped up their attacks. Security vendor FireEye recently reported that since COVID-19, the APT 41 group increased the rate of their attacks including those directly targeting healthcare organizations.
Identifying the New Reality of a Remote Workforce
The transition to a largely remote workforce will disrupt the three key incident response processes: Detection, Respond, and Recover. Starting with Detect, healthcare organizations will need to evaluate how remote or reduced staffing results in more “eyes off screens.” Alerts that previously were sounded locally will now need to be communicated to a remote workforce. With on-site security operations centers, the staff changed but the systems did not move. Under the social distancing model, additional equipment or communications methods are needed that can change as the shift workers swap out. Another consideration, especially in the time of the COVID-19 pandemic, is what happens when a large percentage of the workforce is sick.
One of the first steps to respond to an attack is to activate the command center. Traditional command centers have prepositioned computers, networks, and documentation needed to communicate to the various staff. A remote response system will require multiple conference bridges, likely pre-established with specific tasks. The information on the bridges should be communicated to all team members before an attack because email and phones may be disrupted early.
Consider the impact on your supply chain vendors as they may also not be working in their traditional offices. How do you communicate with your vendors while in a hurry if you don’t have their mobile numbers? Also consider that as a result of the impact of the spread of the coronavirus pandemic they may be short staffed or have reduced their level of security. It has been reported India is moving to a 100% stay-at-home lockdown. Many staff may resort to using personal equipment or unsecured Wi-Fi connection to access corporate networks to provide support.
Recovery will be limited if the course of action included reimaging systems. Remote workforce members will be of little assistance as bandwidth limitations constrain efforts. If the network must be disconnected, as in the case of a ransomware attack, remote incident response team members may not have access to data or networks.
Afterthought for Incident Response Plans With a Remote Workforce
All healthcare organizations should take time to review the basic assumptions of their incident response plan and plan for incident respond with a remote workforce during the coronavirus crisis. These plans often rely on their staff’s ability to rapidly communicate both up and down the lines of authority once a security event is detected.
Drex DeFord, former healthcare CIO shared in a recent podcast that, “With increasing demands on healthcare organizations to quickly accommodate a surge of teleworking employees as a result of the COVID-19 pandemic, IT and information security departments need to exercise security vigilance.”