COVID-19 is changing the way organizations prepare and respond to an incident. To address this, Marti Arvin and Clyde Hewitt are recording a mini-series on incident response. In this podcast, they discuss what must change as a result of becoming a remote workforce.
Links to stories:
To read more about incident response read our latest blog: https://insights.cynergistek.com/blog/thinking-about-the-unthinkable-preparing-for-incident-response-with-a-remote-workforce
Hello and welcome to CTEK Voices: The Risk Perspective. I’m your host Lauren Frickle. Today we’re back with part four of our, Incident Response in the Time of a Crisis series, with Clyde Hewitt and Marti Arvin.
Hi Clyde. Hi Marti. How are you?
Hi, Lauren, I’m doing well, thank you. And hello everyone, thank you for joining us in our ongoing series on Incident Response in the Time of a Crisis. One of the things we want to talk about in this session is just the issues around remote recovery and what might be different in the current COVID environment that would not be the same as an incident might that might be occurring during (and I’ll use air quotes here that you can’t see) “normal business operations”.
So, Clyde what are some of the things that might be considerations as you think about incident response under COVID that wouldn’t be things that you might have in your normal incident response plan.
Thank you, Marti.
Unlike remote detection and remote response to an incident, the recovery process on a normal day requires a lot of hands-on operation. If you think about the spectrum of what’s happened in health care some organizations have had systems infected with malware or viruses. Other organizations have unfortunately experienced ransomware attacks if we think of how that would change in the time of a crisis such as the COVID shortage or the COVID crisis then we need to also look at adjusting the response procedures to be able to reimage devices, for example.
Under ransomware, it’s a requirement that organizations go out and physically put their hands on every device because all these devices have to be reimaged and in order to do that, there’s only really two ways to do it. One is for the IT team to do it and the other one is to perhaps rely on people who are already working in the hospital and give them enough instructions to be able to do it themselves.
But what that’s going to take, is it’s going to take a lot of USB thumb drives and very specific instructions on how to do this. So, it’s going to take clinicians away from providing care perhaps or maybe you have your IT shop who have already had the COVID virus and they’ve already recovered and you have the ability to take those but you’re going to have to help have a force multiplier for them.
So, your support teams that outlive, you know doing the work from home can help by building these USB high-capacity USB thumb drives by building those and making sure that they have the operating systems on hand and that’s something they may want to look at doing early so that you have the images and have these thumb drives for example that can automatically plug-in and reimage a machine from scratch.
It’s going to be challenging one of the things organizations should at right now is look for third parties. You’re going to have staff shortages. And when I say third parties, I’m not necessarily saying vendors, it may be possible to work arrangements or to make arrangements with other healthcare organizations in the region.
So that you know, you ask the question “Hey, do you have two or three people that you can help me work this recovery operation for the hospital”. And you know the hospitals and you know, from different areas may be able to have you know bilateral agreements so that they can provide staff and you know, even within the IT department, maybe they also want to look at maybe having a bilateral agreement for clinicians as well.
If you want additional staff and you want to maybe look at vendors, for example, then you know, it’s best to have those contracts in place early, but it might be possible to go out and you know find out which of vendors are available. But that raises a whole vendor management challenge.
Marti, would you like to talk about you know having to basically write new contracts and vet these new vendors, you know when you’re everyone’s in a remote environment and how do you know get those contracts signed and people on-boarded?
Well, quickly before I move on to that or talk about that. I just wanted to touch base on something you said a moment ago.
I agree that in “normal incident response times” that having those reciprocal agreements with your local colleagues might work but that is going to be more challenging and responding to COVID because all of their staff is going to be working remotely and they might be directing their staff not to support these types of things unless they can do it from their remote work location.
Which you then have all the same issues we’ve been talking about this entire series about onboarding people and getting them the equipment, they need and the information they need. So again, it’s challenging in “normal incident response times” and I think will continue will it be even more challenging in the current environment.
So, that is something to consider and you know that ties into then the vendor management process you mentioned Clyde getting contracts in place in the time of any incident response where you are in a crisis situation and there is chaos is always challenging and of course you layer on top of that what we’ve been talking about through this entire podcast series. That your workforce is now remote people are not as connected. You have all the issues with your devices and so how are you going to do any form of due diligence on that new vendor if that’s what you need because you’re responding in the middle of COVID?
You’ve got all sorts of issues you’re dealing with to run the facility with COVID and so your layering on top of that one additional item and we’ve always said in talking with our clients about incident response. Any contract that you can put in place in advance in anticipation of the potential need for that service is better to do than to try to get the contract in place in the middle of the crises. So, to the extent, you can do that try to do that.
The other challenge that you’re going to have here is the fact that we’ve mentioned several times also is they’re all working remotely. So, something that you might be able to get turned around in a day or so in again “normal incident response”, it might take even longer in the middle of the current crises. So, you know anything you can do to put in place things in advance is going to help you. Anything you could do to anticipate what might be the issues are concerned and try to mitigate those is going to help you.
And you know Clyde, throughout this series we’ve also talked about the challenges for communications and there are many of the same challenges. We’ve already discussed in this podcast series are going to be in place when you talk about remote recovery, you are going to have the challenges around stressed phone bridges. You’re going to have the challenges that you know, maybe not everybody can get a hold of everyone in the best way possible.
In the prior podcast, we mentioned that you know again one possible silver lining here is that because you’ve had to reach out to everybody remotely as a result of operating in that format under the COVID crisis. You might now actually have all those updated phone numbers, updated contact information, and updated personal emails.
So, it’s you know, that may be a good news piece. But all of the same challenges you’d have through your remote detection remote response you’re going to have in the remote recovery as well.
Clyde any additional thoughts around that?
Those are excellent point Marti!
A couple things I was thinking about when you were talking about the communication and bridges. Organizations are going to have a span of control problem.
You know, if we’re relying on individuals to now use their cell phones. It also means that rather than you know, several people dialing into a bridge, you know, which is effective and you know, you can really use bridges effectively to communicate many-to-many up to you know, six eight maybe even 10 people. But anytime you have more than 10 people on a bridge it becomes more of a lecture so that you got one or two people talking everyone else listening. A bridge, you know, when you get over 10 people really is not the best way to be dealing with, you know, an incident response and recovery process.
So, then you start looking at okay, how do I control how do I get the feedback loop back in? Well, maybe they perhaps, you know send you emails but now, you know, you’re dealing with the email situation of how many e-mails can you handle perhaps maybe they want to send text messages. Group text messages may be a better way than a bridge to communicate out because now if someone you know is distracted at home with some other things, maybe they didn’t hear very well the bridge quality is not that good the text message actually has the ability to preserve the communication flow of what needs to be done. But in order to effectively communicate using text messages, it’s important to avoid the pronouns and go with the nouns.
So, you know, if you’re in the heat of you know in the heat of recovery and you know, sometimes people want to abbreviate but it’s important to be very very clear through, you know, the use of text messages and the communication bridges. Span of control becomes an issue, especially, you know, if you start losing key individuals up and down the chain of command within a hospital. So-and-so goes down with the coronavirus, you know, there are out for you know, the next four to six days, you know, if they’re lucky, you know. Then you start having more people take on additional responsibilities and additional staff that they have to you know to monitor their control and they may not be aware of what you know, these other people are doing. It becomes a problem or a challenge on managing all of these different pieces that that’s happening at the same time.
Marti any other thoughts about that?
One comment before we close out on this podcast in our series is thinking about the kind of information you’re sharing. Because you know, we all are very cognizant of protected health information and trying to ensure that we don’t share that through improper format.
But there have been some articles out on the security of things like Zoom and other types of conference messaging and conference call processes and so if you think about that if you’re sharing information that talks about maybe your infrastructure, your IT infrastructure. To share that file through your internal email might be okay, to share that file to my personal email account because you don’t have access to email internally, and that’s the only way to get it to me in the current crises is may be challenging. Because if that email my email system gets hacked then your entire IT infrastructure but is potentially compromised.
So, sharing that kind of information via some of the communication tools that you might be using because you’re all working remotely needs to have people keeping top-of-mind the security functions of those different communication tools to help ensure that you’re very cognizant about how you might share sensitive information. And that’s not just PHI that’s proprietary information or other types of sensitive information that you wouldn’t want bad actors getting ahold of.
Excellent points Marti!
With that completes the fourth of our series Incident Response in the Time of a Crisis and we’re talking about remote recovery operations and the challenges that need to be addressed ahead of time
Lauren, do you have any closing comments?
Great, thanks so much, Clyde and Marti. Just as a reminder to our listeners, content on Incident Response in the Time of a Crisis can be found on our website at www.cynergistek.com.
Thanks again for listening.