There is no doubt that the U.S. is in an unprecedented time right now. As of early-March 2020, the federal government in the United States has taken the unheard-of action to have every single hospital and healthcare facility in the nation put themselves into emergency mode. While hospitals have done a lot of other things on a local, state, and federal level, this is the action that is critically important to the IT and information security teams that work at these organizations. This means that at not just a few, but every single healthcare facility across the nation has activated emergency procedures and incident response to prepare for or deal with the expected influx of patients and shortages of staff. Even if there wasn’t an influx of patients, just the closing of the schools and remote staffing will mean shortages of people power that will be even worse than the already precarious spot most of healthcare IT and information security was in before this coronavirus crisis.
When any organization has an incident, it typically enacts its incident response processes and procedures and run them until the incident has ended. Then the organization can move on to recovery and eventually back to normal business operations. In my decade plus in the industry, I have seen countless incidents occur that led to incident response procedures being put in place. In virtually every single one of these incidents I have seen or participated in, the actual incident part of the ordeal was over in two to four weeks in the vast majority of cases. According to an IBM study detection is far slower than response, when we are focused on other matters that may be even longer. Well, hospitals were told to enact emergency procedures several weeks ago and even if there were not state and local “shelter-in-place” orders in place and the federal government decided to release the lockdown the hospitals would still be in lockdown for weeks or even months until they are back to normal operations.
What Can We Learn from Previously Executing Incident Response Plans?
Most incident response actions take far longer than a month, according to Varonis the average time to contain a breach is up to 103 days, and it is highly likely the coronavirus crisis could last well beyond that. Consider that in most emergency procedures’ documentation, logging, and testing is often put-off until things get back to normal. That is just a few of the things that get backlogged while in incident response. Consider non-urgent helpdesk tickets that have piled up. Think about the new systems that were supposed to be deployed or stood up. Think of all the patches and vulnerabilities that have not even been identified, let alone remediated during the incident response period.
These are just a handful of the things that are often backlogged when an organization moves into recovery procedures. This is where I reiterate that most incidents are over much in a shorter time than this. When those shorter incidents end, the organization often finds itself with enough backlog to fill months or at least weeks. This is from an average incident, if current optimistic predictions for the duration of this crisis we are in for at a minimum of one month, if not six or more months of this. How many years of backlog would be buried if we let all this stuff sit in the backburner? I for one would rather not end up in that situation.
Incident Response Guidance
How can we possibly avoid this?
- Stop letting stuff slip through the cracks. Meaning all those new laptops that were bought and distributed over the last few weeks for remote work that were not logged in inventory or tested for issues is one of many things we can’t leave until things are back to normal. What about all the new healthcare staff that is being hired at breakneck speeds? Were they properly onboarded? Or were they hastily given access to the EHR and network so they could jump in to help?
- Consider all the helpdesk tickets that are being put-off because they are non-urgent? Will your staff really have the time to deal with months’ worth of backlog someday?
- Have you done any remote workforce security awareness training with the workers that were forced to begin working from home? How secure to you think their home networks are? Are you relying on a VPN as a shield? Because MOST VPN providers, and even locally hosted VPN solutions, are straining heavily under the greatly increased number of users that are suddenly connecting. This means that many users will be downloading their work and working “offline,” meaning that it is now stored on a laptops disk drive sitting within a (more likely than not) poorly secured wireless network.
- Consider putting together a detailed incident response checklist that will offer actionable guidance to your organization and help you create a more effective incident response plan. Our team of our experts have created a checklist that will help you build a sound plan for incident response during the COVID-19 Crisis. It can also allow you to manage your time, when now more than ever, time management is crucial.
Those are just a few of the things we all need to be thinking about during the coronavirus crisis. The world is suddenly a vastly different place for healthcare, security, and everyone, and unless we start thinking differently, we cannot hope to ever recover from this catastrophe from an information security perspective. However, during this crisis, we cannot afford to put-off security practices. Many hospitals are in lockdown but awaiting the influx, or there may be “waves” of infected between which there will but time to work on “non-urgent” things like logging, patching, and vulnerability scans.