COVID-19 is changing the way organizations prepare and respond to an incident. To address this, Marti Arvin and Clyde Hewitt are recording a mini-series on incident response. In this podcast, they discuss what must change as a result of becoming a remote workforce.
Links to stories:
To read more about incident response read our latest blog: https://insights.cynergistek.com/blog/thinking-about-the-unthinkable-preparing-for-incident-response-with-a-remote-workforce
Hello and welcome to CTEK Voices: The Risk Perspective. I’m your host Lauren Frickle. Today we have Marti Arvin and Clyde Hewitt with us, Marti and Clyde are Executive Advisors at CynergisTek and subject matter experts in health care cybersecurity and compliance. Today Clyde and Marti will discuss incident response.
This is the first in a series of discussions around incident response in the face of a crisis. Hi Marti. Hi Clyde. Thanks for joining us!
Good morning, Lauren.
This is Clyde Hewitt. One of the things that we have been experiencing recently is the COVID-19 virus or pandemic that is reaching out throughout the world and as a result of that hospitals as well as ambulatory centers and nursing homes. Everyone is having to change the way they’re working.
For clinicians, this means long hours for back-office staff we’re seeing that in order to protect those back-office staff that are not direct patient care or have direct interaction with patients that organizations are allowing those workers or even encouraging those workers to read to work remotely either at home or some other location that they can be separated to keep the distance from other folks.
As a result of that, it’s changing some of the basic assumptions that we’re seeing, specifically incident response plans that are out there and designed to help organizations overcome some sort of cyber-attack or cyber incidents or technology issue that impacts the confidentiality availability or Integrity of patient data.
Now those plans that were out there were previously designed for folks and the employees to be able to get together, work in a conference room, communicate directly, and quickly work to resolve those issues.
We’re thinking that organizations, all of the healthcare organizations, need to go back and look at some of the basic assumptions that they have with those plans right now and make adjustments before they are needed so that they can actually respond to an issue.
Marti, do you want to continue that thought?
Yes, thank you, Clyde. When you think about this, an incident, a cybersecurity incident of significance, one that’s going to trigger your incident response plan is already going to have you operating in an abnormal environment. When you layer the issues around COVID-19 and the remote workforce and some of the points that Clyde already made over that now you have an even more abnormal and so getting people used to thinking about that and starting to consider that is something that organizations should be doing.
We realized that we’re saying this as organizations are already overworked and stressed but as you think about this and consider, what’s going to happen with your workforce as Clyde pointed out your clinicians are already working long hours and overtime taxed and stressed as a result of this. If you have a significant cyber incident that shuts down your system shuts down access to your electronic health record. That’s just going to layer more confusion more chaos more stress.
So, anything that you’re able to do to take into account this whole new environment that you’re in, in preparation for a potential incident is going to be better off. You think about your workforce and pre COVID incident response. When they were preparing, and you’ve exercised this everybody has thought well I’m going to go into the conference room and we’re all going to gather their everybody who’s on the incident response team. You don’t have that conference room any longer, you don’t have that screen up that everybody can look at a document or look at that process at the same time on the particular screen. Now those issues can all be resolved with teleconferencing and things of that nature, but it’s not what people have gotten used to. So that’s going to be something that they’ll have to just adjust to and get themselves used to you also have to consider that some of the technology that you might be using of a technology solution just respond to the incident might be on site.
So you’re going to have to consider bringing people back on-site to have them actually support responding to the incident because you may not be able to do that off-site and then you think about things like bandwidth we already know that technology solutions like Zoom, GoToMeeting, GoToWebinar, and things of that nature have had some issues for organizations because so many people are now utilizing them, given the high number of folks working remotely.
Well, will that be a problem for you if you’re trying to use that same solution to respond to the incident? And then another consideration is what’s the variance among your workforce as they’re working remotely? This didn’t have to be a consideration pre COVID because everybody was on site. So, everybody was connected to the network and everybody had that access and they were free to physically move around to go to the right machine or the right location. And if your employees don’t have the same access capabilities that may create problems and you may have some key personnel that you want to have on a conference call, but perhaps they can’t be.
Clyde do you have additional thoughts around that?
I do Marti, thank you very much.
One of the things that you brought up is you talked about remote access into the systems and tools many organizations do not have the capability to access everything that needs to be accessed from a network standpoint or from the tool standpoint using remote system. Some of those require you to be on-site or close to the system or on the network because of the bandwidth issues.
But you also had me thinking if those systems go down, you also have too many times contact supporting the vendors and those vendors to may have issues especially in incident response. Because for example, ransomware one of the first things that happens after a ransomware event is many organizations will shut off access to their network and if they shut off access to the network while they’re off, operating remotely, they have literally isolated themselves and their ability to go on to the network to respond. So that becomes a challenge.
The other thing is what about the vendors that are out there the fact that COVID-19 is impacting health care. It’s also impacting employees of all of the support vendors. So many of these vendors are sending their workforce home as well. So now you have an issue of okay, here’s the number that I normally call, but what happens if no one answers? Do your vendors think far enough ahead to go ahead and have those call centers grouted to their remote workers?
Do you have for example the cell phone numbers of key personnel for a lot of your key vendors so that you can reach out and find those? And oh, by the way, it doesn’t help to have those cell phone numbers on your computer at work, you need those cell phones!
Phone numbers in your own personal cell phone and you even ask the question “Will they even answer the call because we’re seeing so many spam and phishing phone calls right now?”. A lot of people actually let calls from unknown numbers go to voicemail and deal with it later.
So, Marti did I miss anything that needs to be covered in that?
Well, I think Clyde one other comment on that is you know thinking about who your critical vendors are and who you might need to coordinate with and recognizing that they maybe setting up infrastructures that are way outside the norm. Meaning, if you have a vendor that you’ve outsourced and offshored you may have had contract agreements that those services had to be performed in a certain physical location. And now that Workforce has been scattered to their homes. So, it’s not just what’s impacting your US contractors, but your non-US contractors as well.
So, thinking through and considering how that infrastructure is in place, and I agree with you completely Clyde setting up those contacts now so that you have a way to reach out to those key people at the vendor and hopefully they’ve put you in their cell phone so that if you if that’s what you’re calling you come up as a contact as opposed to an unknown caller that they might let go to voicemail.
Now my philosophy is, if you me and you leave me a voicemail, you’re probably somebody who is legit and really trying to reach me. Whereas if I get that call from that unknown number and they just hang up and don’t leave a voicemail message. My assumption is you really didn’t need to reach me.
So, my recommendation is go ahead and leave the voicemail if you give that as an option because the you know, they may listen to the voicemail and realize. Oh no, my you know, the party actually does need to reach me this as legit, but if you just hang up and try the next person on the line you and may encounter that multiple times. So, other thoughts around this Clyde.
You raised an excellent point Marti, leaving the voicemail, I have called several vendors many times in my past and one of the things I find is in times of crisis those voice mailboxes tend to be full. They can’t seem to get them cleaned out and you know responded to fast enough. So, you’ll end up with a voicemail that you can’t even leave. So, you need to think about that and how are you going to reach the next person in line?
The other thing is It also opens up a channel for misuse. In other words, you may find that you know, some of the hackers were things like that can exploit that situation to try to get a vendor or to pretend to be a vendor calling you to try to get access. And so, we need to think about how we’re going to have specific controls that can respond to that. Maybe use code words for example with your vendors in other words, pre-trained the staff on both sides that there’s a challenge and response words so that you know, you actually have the right person.
So, Marti what hasn’t changed? I mean, we know what’s changed in moving to a workforce that’s remote, but there’s things that haven’t changed.
Well, so when you think about it, you know, if you have a significant cybersecurity incident, you’re still going to have to respond to it. You’re still going to have to engage in a lot of the activities that you’ve you know already put into your incident response plan that you’ve already exercised. The way you do it obviously might be modified because you have remote workforce but you’re still going to have to work at detecting where the bad actor is in your system what they’ve been doing. You’re still going to have to monitor your logs, you’re still going to have to evaluate any anomalies that you might identify.
So, these are things that aren’t going to change because you’ve got a remote workforce the process for engaging in, they may change because you have a remote workforce. And again, you need to think about what are the challenges that are going to be associated with that. You have to consider all the things that we’ve talked about thus far.
And another thing to think about is you may I need to engage new vendors in this process if you haven’t pre contracted with certain vendors and how are you going to do any form of a risk assessment or risk analysis on that new vendor if you don’t have any structure in place. So, you probably have something in place today that does the evaluation of your new vendors. Hopefully, you do, but how does that going to look? How does it look in your normal incident response structure that you’re in place to your incident response plan and how might you change that or what considerations might you think about as you get into a situation like the COVID-19 pandemic crisis and how you’re functioning under that.
Thoughts on that Clyde?
Excellent points Marti. One of the things I was thinking about and one of your comments triggered engaging new vendors. A lot of smaller organizations do not have in-house counsel, they rely on a third-party and in the COVID self-quarantine that’s going on right now, you know organizations that don’t have a daily interaction with their counsel may find out that you know, they have the ability to reach them.
I’ve talked to some organizations that have experienced incidents in the past even pre COVID and it’s like, you know, we tried to get we’ve had an incident. We’re trying to get a hold of our council, you know, we’ve left them voicemails now for two days and you know, they’re not responding and it’s like okay, it’s a Friday night when the incident happened. Do you actually expect, and have you set expectations that your external counsel is going to respond on a weekend? Do they have that expectation?
So, you’re finding out that you know, things can go rapidly, especially in incident response and not only does your organization need to be prepared to respond immediately. But all of those support structures, the outside vendors need to also understand the criticality of that and be prepared to in fact respond for you.
Marti, did I miss anything?
You know, I don’t think you’ve missed anything Clyde, but the one thing you made me think about that I hadn’t really considered before, not only are they is there an expectation for them to respond, but you do you know what’s happening with them?
What if you’re in a smaller enterprise and you have a firm that maybe has two or three attorneys, but one of them is out with COVID, they’re one of the unfortunate people whose contracted this do this. What does that mean for you? Are they simply self-quarantine with mild symptoms and therefore you could probably reach out to them and connect with them remotely or are they unfortunate to have a more severe case of it and potentially hospitalized where you’re not going to be able to reach them?
So again, we know you’re all in the middle of this crisis and you’re probably working long hours and you’re thinking this is the last thing on my list, but any little thing you can do to make yourself more prepared for this and dealing with a cyber incident in today’s environment is going to be better.
So again, those are the kinds of things you need to think about is how are you going to get a hold of them? And the fact that some of these individuals, if they’re smaller firms, or don’t have a lot of bandwidth from the people resources, could be impacted by someone who has tested positive and maybe even, unfortunately, is as possible hospitalized for this. So that’s another consideration in thinking through what your alternative going to be.
Clyde any other thoughts?
Marti, I think you’ve nailed it. You know, one of the things it even raises the issue, you know, if you do have a supporting vendor and they typically local and they are admitted to the hospital may be at your facility.
Then you start having to raise the issue of is that something within HIPAA can the clinician share it with the back office saying hey our support vendors is in the ICU right now. So those are some questions that you know needs to be managed and that’s going to raise some of the issues on what the federal government is doing about some of the discretionary enforcement I think is the official term. Marti.
That’s true Clyde. So, let’s talk a little bit about some of the additional things you can be doing to help prepare yourself in this changing environment. And these are things that we want to talk about in said the subsequent podcast in this series.
So, we’re going to touch on them at a high level here and we’ll go into more detail on the subsequent podcast. But if you think about the detection step of incident response, we know there is a higher rate of attacks now that bad actors are exploiting the current environment to increase fishing in increase the improper emails and just trying to get into your system.
So, you know, you need to think about the fact that the likelihood that you’re going to have a cyber incident in the current environment is actually even higher. We already touched on the idea that worked remote workforce and thinking through things you can do there. So, that’s a continuing assessment that you’re going to have to think about. And then how do you even get the right equipment as your workforce have the right equipment to work remotely and how have you managed that and process that.
Clyde additional comments on the standard incident response process?
Yes, I think Marti we think about the standard incident response process and the fact that organizations think that they have enough equipment on-site to be able to handle it. But as we look at the COVID healthcare organizations that are in these hot spots are bringing in additional staff and as they move staff from the back office to the home office. Some of these organizations are actually going out and starting to buy additional equipment to support those home office users and we’ve heard some reports and we’ve seen some reports that some of this equipment that has been purchased through third parties that may or may not be trusted. So, it’s raising some issues. It’s adding additional risk into the organization.
For some other organizations, they may be asking their employees to bring their own device. For example, that introduces another level of complexity, especially for some of the offshoring we’ve seen reports where organizations have, you know, allowed employees to go forth and take additional steps to use personal devices to connect the corporate devices which then connect to your corporate network that adds additional resources.
All of this is going to require communications and additional communications and there’s already been several instances where the conference bridge is, for example, seem to be stressing people have to dial in multiple times.
If an organization were to experience a true incident like a ransomware attack, for example, or sort of malware, or things like that, it’s going to be extremely challenging. So, identifying these things early is important. And yes, we are going to be covering this more in the additional sessions going forward.
Back to you and just one other comment in consideration of when would you bring staff back on-site if you have a significant cyber incident? And who’s going to make that decision? Because now you’re asking staff to not to come back in and potentially expose themselves to the virus but is this a functionality that they just can’t do remotely and again who’s going to be the decider on that?
I’d suggest you probably want somebody fairly high up in your organization to make that judgment call. And you’re right Clyde, there’s a lot more detail to go into around effective communication and the way you can handle that as it relates to your incident response process.
So, I think you know as we look at this, we can go through we could spend hours on this topic. We often spend hours on incident response exercises in as I call the “normal abnormal” and now we’re in the middle of COVID. So, there’s more to add on this and we’re going to bring you more podcasts and more information and just make sure you look at the CynergisTek website to see all the resources we’re creating for you. Clyde.
Thank you very much, Marti. Yes, I think we’ve covered the topics that we wanted to cover within this podcast and again look to the CynergisTek website for the continuing sessions in this series. Lauren.
Thank you so much, Marti, inclined for that information. Very helpful. Thanks for being here today.