Ransomware attacks on hospitals, for example, are high-profile targets for ransomware attacks because they attract a lot of media attention. When hospital employees enter and leave the facility after an incident, staff members are approached by the media to report what happened. Every staff member within the hospital must have the same communication message, and the staff members must control the flow of information to the media.
This communication incident response plan should include but not be limited to:
- It is important to familiarize everyone with the incident types that could threaten the hospital’s operations.
- Creating a communication strategy for incident response is especially important when security incidents become public knowledge before leadership is aware of it
- Assembling a crisis management team and allocating clear responsibilities
- Through incident prevention planning, we are considering ways to prevent similar attacks in the future.
And while data breaches can also create reputational and regulatory concerns, hospitals and other healthcare companies need to recognize that their institutions are prime targets for attackers. As such, they should make cybersecurity incident preparation and incident response plans.
Hospital stakeholders need to know their legal obligations under HIPAA and other applicable laws. They can get valuable guidance from counsel about how best to comply with these rules while still addressing public relations issues in advance before they become problematic.
The incident response team must prepare an incident response plan that has been discussed and practiced regularly with stakeholders. It needs to identify roles and responsibilities for incident detection, incident containment, incident eradication, and follow-up. Incident prioritization is also necessary to immediately evaluate critical systems or devices.
Accurate communication must go beyond just one message being delivered consistently among stakeholders. The communication strategy must consider who will provide the message, where they will have it, when they will provide it and how often they deliver it.
Hospitals should have disaster recovery plans in place so that all services are not entirely disrupted during an incident.
Finally, the biggest threat to data breach incidents within organizations is the human factor.
We have all heard the statistic: humans are responsible for 52% of cyber incidents! These security incidents consist of hacking, phishing, malware, and all other forms of data breaches.
While this is disconcerting, it also points to a systemic failure as organizations spend millions on network security and related security technologies such as firewalls and threat management systems.
These systems and technologies are supposed to protect organizations and their customers' data from the bad guys. Still, even with these measures, we only attribute 52% of cyber incidents to human mistakes or negligence. So what is going on?
A recent survey found that employees within organizations need cybersecurity awareness training because they do not understand the risks associated with using work devices for personal reasons.
Employees are naïve about the threats to their data and tend not to follow company policy when viewing or sharing work files outside of the office.
It is even more disconcerting that employees view cybersecurity awareness as boring, one-off training sessions rather than ongoing learning opportunities within their daily routine. This lackadaisical approach to cybersecurity is a recipe for disaster. Employees become sitting ducks, leaving the door wide open to hackers who are only too willing to take advantage of their carelessness.
Organizations need to put together a comprehensive plan for enhanced cybersecurity awareness training that is effective and engaging. Each employee understands how their behavior can affect data loss.
The threat of ransomware attacks is real, but it is not impossible for healthcare organizations. Before an event, providers should assemble with their leadership, legal counsel, cybersecurity, and information technology teams to construct a clear action plan to formulate reaction activities.
For more information on creating, maintaining, and strategizing a cybersecurity plan for your organization, contact me at Vanderson Cyber Group, www.vandersoncybergoup.com, or call Mack Jackson Jr @ 702–868–0808 today.