Maintaining Cybersecurity When Disaster Strikes - CHCANYS
Maintaining Cybersecurity WhenDisaster StrikesNovember 18, 2020
Objectives Demonstrate the cybersecurity considerations and activities relevant toincident response through the use of a case study Provide the main objectives and most important activities related tocybersecurity when responding to an emergency or incident Discuss what steps organizations should take to prepare for cybersecurityincidents
AgendaOverview of Emergency ResponseBusiness Continuity and CybersecuritySecurity Incident ResponseCase StudyConclusionSupporting Documentation
4Emergency Response Overview
Natural Disaster, SnowstormTechnical Outage,Power, NetworkWhat DoesCybersecurityhave to do withEmergencyResponse?Pandemic?Social and PoliticalConflict?Cyber Attack, Ransomware
Business Continuity and Security Incident ResponseSecurityIncidentsEmergencyITDisasters6
What We’ve Learned from COVID-191.You may need to pivot to new technologies quicklya)Cybersecurity considerations of work-from-home,BYOD, and Telemedicine2.Cybercriminals don’t go away during a pandemic; ifanything, they increase and focus efforts3.Business Continuity Plans should account for loss ofphysical access and key staff4.All types of emergencies have cybersecurity implications7
Poll Question: New Technologies
Business Continuity and Cybersecurity
HIPAA and Emergency ResponseContingency Plan - § 164.308(a)(7)10
HIPAA and Emergency Response11
NIST Cybersecurity Framework
Response Planning (RS.RP): Response processes andprocedures are executed and maintained, to ensure timelyresponse to detected events.Communications (RS.CO): Response activities arecoordinated with internal and external stakeholders, asappropriate, to include external support from lawenforcement agencies.Analysis (RS.AN): Analysis is conducted to ensure adequateresponse and support recovery activities.Mitigation (RS.MI): Activities are performed to preventexpansion of an event, mitigate its effects, and eradicate theincident.Improvements (RS.IM): Organizational responseactivities are improved by incorporating lessons learnedfrom current and previous detection/response activities. Perform a Business Impact Analysis What workflows are critical during an emergency? What systems and information are critical tosupporting those workflows?Simple Balanced Scorecard IndicatorsDashboardHow can you perform those workflows if thosesystems aren’t available? How will information beavailable when and where needed? How will you maintain integrity of information as you goto paper-based or offline systems? How will you maintain security controls during anemergency? Consider: Access Control, Encryption, Monitoring,Backup/Recovery. Are there areas where you will bypasscontrols? For example: Emergency Authorization foraccess to systems? What compensating controls are inplace?IdentifyRespondBusiness Continuity Plan When you return to “normal”, how will you reconcileproduction and backup systems?Who will make determinations of when to switchsystems?Lessons Learned.ProtectRecover
Business Continuity Plan Components of the Business Continuity PlanBusiness Units/Locations with primary and backup contact namesand numbers BCP Team Members and Responsibilities List of critical assets (input from BIA) Reference Documents such as facility recovery plans, systembackup/recovery plans, State/local plans Departmental BCPs Communications and Coordination Plans Critical Vendor, Service Provider, and Law Enforcement contactinformation Procedure to return to normal operations 14
Poll Question: Ransomware
Case Study: RansomwareTopicQuestionsIdentify Are critical assets identified and their susceptibility toRansomware assessed?Protect Are critical assets backed up? Are backups logically andphysically separated from production systems? Are critical assets on separate network segments?Detect Are systems in place to detect ransomware Indicatorsof Compromise (IOCs) so that it can be containedbefore it launches or spreads?Respond If critical assets are locked up, how will theorganization respond? How will the message be communicated externally?Recover Have you tested recovery plans for affected systems?16
Case Study: RansomwareMikkel Finsen, Open Door Family Medical Center
Security Incident Response
Source: 2018 HIMSS Cybersecurity Survey19
POLL: Questions 3 and 4
HIPAA and Security Incident ResponseSecurity Incident Procedures - §164.308(a)(6)“Implement policies and procedures to address security incidents.”RESPONSE AND REPORTING (R) - §164.308(a)(6)(ii)“Identify and respond to suspected or known security incidents;mitigate, to the extent practicable, harmful effects of security incidentsthat are known to the covered entity; and document security incidentsand their outcomes.”21
HIPAA and Security Incident ResponseDefinition of Security Incident:“the attempted or successful unauthorizedaccess, use, disclosure, modification, or destruction ofinformation or interference with systemoperations in an information system.”22
Security Incident ResponseMaintenance23 Test Incident Response Plan through Tabletop Exercises Test likely scenarios (e.g. Ransomware, Phishing, Theft Improve based on lessons learned Review documentation of security incidents toidentify improvements Update/Review annually23
Security Incident ResponseQuestions to askyourself? How are we documenting security incidents? What is our communications plan?Internal/External? Who are the decision makers? For example, whohas ultimate authority to shut down critical systemssuch as EMR in order to prevent further infection ofmalware? Do all employees know how to recognize asecurity incident, know their obligation toreport, and know how to report?24
Security Incident Response PlanNIST SP 800-53 (IR-8) Incident Response Plan: Provides the organization with a roadmap for implementing its incidentresponse capability; Describes the structure and organization of the incident responsecapability; Provides a high-level approach for how the incident response capabilityfits into the overall organization; Meets the unique requirements of the organization, which relate tomission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability withinthe organization; Defines the resources and management support needed to effectivelymaintain and mature an incident response capability
Security Incident ResponseComponents of a Security Incident Response Plan Business Units/Locations with primary and backupcontact names and numbersCIRT Team Members and Responsibilities (RACI Chart)Communications and Coordination PlansSecurity Incident Handling ProceduresSecurity Incident Notification PlansEscalation ProceduresChain of Custody ProceduresCritical Vendor, Service Provider, and Law Enforcementcontact informationPost Incident Activities
RACI ChartThe Responsibility Assignment Matrix (RACI) describes the level of participation by various roles in handling different stages of the incidentresponse lifecycle. The RACI matrix is comprised of the following actions:R – Responsible – owns the action; is responsible for completionA – Accountable – ultimately accountable for completionS – Supporting – provides resources or plays supporting roleC – Consulted –provides information or has capabilities to necessary to complete workI – Informed –must be notified of results, but does not need to be consultedUsersCIOISS /HSDESOLegal/ IPORMOServer EradicationIAIRIIRRRIIRecoveryIAIRCCSSSII27
Interaction: Scenario 1You just received a call from the FBI indicating your systemshave been compromised.What do you do?Who do you call?Do you have a Security Incident Response Plan ready to use?28
Interaction: Scenario 2Your Internet connection is down, and you determine it is due toa Distributed Denial-of-Service Attack.What do you do?Who do you call?What do you tell you employees, patients, and the public?How do you maintain operations and availability of information?Consider: Confidentiality, Integrity, and Availability29
Interaction: Scenario 3A doctor reports that they were tricked by a phishing email intoentering their credentials into a fake website.What actions should you take?Who do you inform?What documentation and evidence do you maintain and where?30
ConclusionConsider what types of emergencies or incidents are likely tooccur in your organization and the cybersecurity ramifications Have your response plans ready and tested Know roles and responsibilities for your organization (Hint: thisisn’t just an IT problem) Know when and how to reach out to experts 31
References NIST 800-61 – Computer Security Incident Handling Guide ons/NIST.SP.80061r2.pdf NIST 800-84 - Guide to Test, Training, and Exercise Programs for IT Plansand Capabilities - 4/final s/26845 https://security.berkeley.edu/faq/ransomware/
Thank You
Defines the resources and management support needed to effectively maintain and mature an incident response capability Security Incident Response Plan NIST SP 800-53 (IR-8) Incident Response Plan: . describes the level of participation by various roles in handling different stages of the incident response lifecycle. The RACI matrix is .
Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie
Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53
CSCC Domains and Structure Main Domains and Subdomains Figure (1) below shows the main domains and subdomains of CSCC. Appendix (A) shows relationship between the CSCC and ECC. Cybersecurity Risk Management 1-1 Cybersecurity Strategy 1-2 1- Cybersecurity Governance Periodical Cybersecurity Review and Audit 1-4 Cybersecurity in Information Technology
Strategy for Disaster Reduction. An alignment of the terminology used in disaster risk reduction in Africa with the internationally acceptable concepts is logical. 2.1 Disaster Although the focus of disaster reduction is not on any actual disaster event itself, disaster remains the main focus. Thus our efforts must be geared towards the
namely Disaster and its classification, Disaster risk and Disaster Risk Reduction, Mainstreaming gender for Disaster Risk Reduction. IV. DISASTER AND ITS CLASSIFICATION Disaster is a phenomenon which can identify from the history of human civilization and it can be simply defined as an event
There are three important phases in hospital emergency disaster management plan 1) Pre-disaster phase 2) Disaster Phase 3) Post Disaster Phase Pre-Disaster Phase a) Planning: Most of the assessment and planning is done in the pre-disaster phase, the hospital plans are formulated and then discussed in a suitable forum for approval. b) Preparation
1. Post-Disaster Recovery and Disaster Risk Reduction require support from community participation in improving the quality and objectives of Disaster Management; 2. Community-based Disaster Risk Reduction is a key factor in participatory disaster management, including in post-disaster recovery, as indicated by best practices in Yogyakarta and .
recovery mechanisms, and a formalized Disaster Recovery Committee that has responsibility for rehearsing, carrying out, and improving the disaster recovery plan. When a disaster strikes, the normal operations of the enterprise are suspended and replaced with operations spelled out in the disaster recovery plan.
