COVID-19 is changing the way organizations prepare and respond to an incident. To address this, Marti Arvin and Clyde Hewitt are recording a mini-series on incident response. In this podcast, they discuss what must change as a result of becoming a remote workforce.
Links to stories:
To read more about incident response read our latest blog: https://insights.cynergistek.com/blog/thinking-about-the-unthinkable-preparing-for-incident-response-with-a-remote-workforce
Hello and welcome CTEK Voices: The Risk Perspective. I’m your host to Lauren Frickle and I’m back with part three of our series, Incident Response in the Time of a Crisis on remote response with Clyde and Marti.
Good morning, Lauren and hello everyone. My name is Marti Arvin. I’m as you know, one of the executive advisors for CynergisTek and we have created this series to help support you in this time of crisis and give you things to think about and consider on the incident response spectrum from the NIST both remote detection, which was part to remote response and they’ll be additional podcast on remote recovery compliance requirements and general recommendations.
Clyde, thinking about remote response, can you talk a little bit about communication challenges that our organizations might see?
Yes, Marti. Thank you very much for the introduction for communication challenges are especially difficult in a time of responding to an incident or cyber crisis or privacy crisis. Number one, because a lot of the plans that hospitals and providers and ambulatory clinics have out there are dependent upon having a command center someplace where everyone can show up in the room. Once those folks show up in the room, you know, they can have multiple conversations simultaneously.
Any time that you are in a remote environment now you’re setting up conference bridges when you set up conference bridges, you are limiting your staff to have one communication at a time. These things have to take place to see really rather than in parallel.
So, one person talks, everyone listens, then it transitions to the next person one person talks everyone listens and in order to be able to communicate that way it takes a lot longer to start responding and to build the process for this. And you may find yourself with some inner personnel issues or personnel issues, whereas, you know, you have the introverts that are maybe not willing or shy about jumping into the recession and offering insight. So those are some challenges that are out there.
You also find out that you may have stressed conference ridges and organizations who have set up predetermine conference bridges based upon their own hospitals telecommunication system may find out that especially when you’re talking about ransomware or malware one of the first responses is to shut down the network. So, organizations that rely on their local conference bridge may find out that no one has the ability to talk. So now we’ve got additional challenges.
The other challenge is how do you let everybody know? Within your cell phone for example. Does your cell phone have the cell phone numbers of everyone else on the incident response team? So, you know, how do you quickly get the information out?
You also have some other information challenges like well, our incident response plan is setting on our server. Well, that’s cool, if your server is not impacted by the incident, especially if you have to shut off the network. So, things like incident response plans when your employees have to relocate to home for the duration of the COVID issues then do they have a copy of the plan locally? Do they keep it on their cell phone? Do they keep it on their laptop computer or whatever? Or do they keep it in even in paper? For example.
So you may have some files share limitations and in this may be a good time to start looking at potentially the use of the cloud but you know don’t jump into a cloud solution because you still have to think about the risk of putting sensitive information in the cloud. The second issue is, you may have mobile device limitations organizations may be in areas you know, I should say individual employees may be in areas where their mobile phones or stress because a lot of people are dealing and making more calls. So, unless they have unlimited data plans, for example, or unlimited talk plans, they may be reluctant to stay on for the duration of a lot of these calls that are needed to respond to communications.
So, Marti did I miss anything. I mean, I’m sure there’s some personnel issues that need to be addressed do you have any thoughts on that?
Well, a couple of things that I thought about as you were speaking Clyde and to your point about the mobile device limitations. What are you as an employer going to do to potentially reimburse employees if they have those kinds of limitations, but you want them to stay on the phone or you want them to stay connected? Have you thought about the idea that you might be, you know needing to reimburse them for those additional data costs or other things as you find them to be critical?
Another piece is one of the things that could be good news if you think there is any good news in this COVID crisis, is that because more people are working remotely just in the normal day-to-day business. There’s probably an increased likelihood that you have the current contact information, you have the current mobile phone number, you have the current home phone number handy because you’ve had to have it to use it just to function in your normal day-to-day business.
So, you know, we encourage people routinely to make sure that their phone trees and that kind of data is kept up to date just in the course of regular business and thinking about incident response when you don’t have to worry about all the people being remote and so this maybe you know if you can find any silver lining in what we’re dealing with today that may be one of the silver linings is that you may be forced to update that and have the current information.
And you know, that’s the only additional comments I have around this particular topic. But I know another big topic in remote response is thinking about the implications with your vendors.
Clyde, do you want to talk a little about that?
Absolutely Marti! I’ve been thinking a lot about the vendors. I mean, vendor management has been a challenge with healthcare organizations even before the COVID environment has been thrust upon us. So, we talked about how do you get in touch with vendors? You know, who is the right contact with the vendor? So, you know think about what’s happening with the vendors. A lot of the vendors are also in lockdown or remote working situations.
So, with that in mind, you may have your vendor contacts that you need to help respond to a security or privacy incident working from home in as well. So, their desk phone may not work. Maybe they’ve got their desk phone forwarded to their mobile number, but now they’re going to sort of miss those calls or they’ll be delayed in reaching them.
You know, I had most recently I needed to reach out to a vendor about an issue and the voice response unit said: “we’ve moved to only a chat function only, we don’t have a call center anymore because our workers are working from home and we can only deal with chat”.
And another vendor, for example, says, “you have to reach me through Facebook Messenger, leave a message” and soon as you put the message and saying I need help they came back saying due to the high call volume of the COVID crisis expect your message to be answered in the next 48 hours. For example. That’s a real-world example that I’ve experienced in the last 48 hours. So, these call centers that are shutting down have also impacted this.
Marti, that makes me think, you know, is that a contractual issue that organizations probably want to deal with today?
I’m not a hundred percent clear on what you’re asking about the contractual issue if what you’re saying is, you know, do they need to have those sorts of “Disaster Recovery” “Disaster Response” functions included in their contracts with their vendors? You can argue that that’s technically already there if it’s a vendor with whom they have a business associate agreement because they probably have language in their business associate agreement currently that says you will have appropriate administrative physical and technical safeguards. And as we know some of the safeguards that are outlined in the HIPAA security rule are to have an appropriate disaster recovery and business continuity plan.
So, you know, if you want more explicit language, you might consider that but I don’t know that it necessarily has to require a change in your contract unless you want again that additional level of specificity and just to be clear we are not providing any legal advice when we say that if you have questions around specific contract language, you might want to work with your attorney to determine that.
That’s a great point Marti, and speaking of legal advice, what if an organization needs to reach out to their counsel? It’s typically not within normal operations for outside counsel to be available 24×7. Is it I mean is this something that is changing the way we work and health care? What are your thoughts on that?
You know, I think for a lot of law firms they are available outside of “normal business hours” and clients particularly if it’s someone you work with a fair amount probably have the ability to access somebody at the firm. If you’re in a smaller environment that might be more challenging because you might have a more limited or smaller firm you’re working with but you know, a lot of firms would have that functionality capability because attorneys recognize that crises come up outside of normal business hours, not thinking about the COVID crisis to that extent, but just the normal business functions and activities.
However, if your experience experiencing a cyber incident, as Clyde talked about in our prior podcast, there has been a substantial increase in cyber-attacks against healthcare as a result of the COVID crisis and as you might imagine and that’s not only going to impact the healthcare organizations and their incident response, but the firms are going to be busier supporting clients and responding to that and all of the issues we’ve talked about a moment ago on communications are the same kinds of issues that your law firms and other vendors that you may need to support you and your response are going to be having.
So, you know, it’s not just what you’re dealing with and being able to find somebody else to support you or around that but it’s that they’re all dealing with it as well and so as you think about this. You know anything you can do, we know you’re all extremely busy, but anything you can do to mitigate some of the issues we’re talking about and the changes in incident response that you have to consider as a result of the COVID crisis are going to be to your benefit.
Because it is like before the COVID crisis is we would always talk about, not “if you have a cyber incident” but “when” and now with the COVID crisis and the increase in the hackers and the threats that’s even more so.
Clyde, you know other things to think about, I think you talked to me on a different conversation about cyber insurance, and again, this is the same kind of thing with your attorneys and getting a hold of somebody. Are you going to be able to reach them and have you talked with your vendor?
If you have limitations in your policy about the requirement to notify within a certain time frame. Is there going to be any record that you tried to reach out to the vendor within that timeframe? Are they going to have flexibility around those kinds of terms in the agreement? So that if you aren’t able to reach them and you somehow don’t fall within the timeframe for coverage that you can say, well we tried to contact you,
So at a minimum, you want to think about keeping notations try to contact them at 8:14 on April 1st. Try it again at 2:32 on April 1st, try it again at … so if you’re not able to actually get through to them even in an e-mail or some other way that it can be recorded you have created your contemporaneous record to try to ensure that you’ve got some documentation that you made every attempt to reach them within that time frame.
Clyde, you want to talk a little bit, you know you think about cyber insurance? They often times have different vendors that they have put into panels like, you know outside counsel that you have to use or forensics firms. You have to use. Do you want to talk a little bit about the issues around that?
Absolutely, I mean, we’ve already seen it with rent somewhere and the rapid increase of ransomware that happened over 2019. A lot of healthcare organizations use the same cyber insurance carriers, and they have panels of forensics firms and attorneys.
One of the things that I was thinking about Marti, especially when you were discussing the outside counsel delay. If you cannot get a hold of your or outside counsel either directly or if you’re depending upon your cyber insurance carrier and they require you to use their outside counsel to manage the saying. Until you actually can get a hold of those teams and things it’s very difficult to put something under attorney-client privilege because the attorney is not there to direct the action so that could be a problem and it could be a future risk exposure, you know going forward, but that’s going to be a topic and future podcasts.
But as far as the subcontractor backlog issue that you brought up, forensics teams, for example, under HIPAA, you know breach reporting rule, you have to report a breach within a certain amount of time (60 days for the federal requirements). But we have 50 states out there with 51 different versions of what they think is the reporting requirements.
So, for those you know, when does the clock start? It’s when you knew of the incident or when you should have known about the incident. So some of the things, you know, maybe you can’t rely on the forensics team, for example, to come back because it may take them months and months to come back and say yay verily there was protected health information in that server that was accessed and therefore that officially starts the clock.
But, let’s say you have a phishing attack for example, and you know do you wait to three months before the forensics team comes back and says yay verily you have PHI that was attacked or as part of your incident response process?
So, do you have that conversation with the individuals who have their account attack so that you know, what type of work they did? For example, maybe you know someone is working in ordering supplies for bed sheets or ordering masks and stuff like that if their account got hacked. The chance of having patient information is low, but if someone’s inpatient accounting or patient financials the chance of their account having patient information in their email, for example, is high.
So, these things need to drive the urgency. The other thing is if there is a mass attack at what point is force majeure going to kick in?
And that’s something Marti, I think maybe you can help clarify a little bit there and give some considerations on that.
Well again, we’re just to be clear. We’re not in the business of giving legal advice in this is not legal advice. But as a general premise, the Force Majeure clause is a clause in contracts that says if there’s something that happens us beyond all of our control than certain provisions of the contract aren’t applicable or they are you know, they are applicable in a different context and so a cyber incident is generally not going to be considered a Force Majeure.
The COVID crises might arguably be a Force Majeure, but when you talk about that kind of clause particularly when you’re thinking about your cyber insurance policy, it’s the incident that would have to be the Force Majeure in what I’m thinking. But again, if you have concerns about whether a Force Majeure clause would kick in you want to talk to your attorneys and get some clarity around that I don’t see it happening but you know, that’s something if you’re concerned you want to talk to your counselor and get some clarification around that.
But another issue in the response Clyde is simply equipment availability. What might be happening around that in in the remote response process that might not be as big of an issue in in an incident response structure if we were not in the middle of the COVID crisis and having to do a lot of things remotely?
That’s an excellent, excellent question, Marti! A couple of things, we probably need to evaluate early even before we get deeper into this COVID issue is, you know, do we have enough laptops for our remote workforce? And do we have enough laptops for not only our remote workforce but any temporary staff that we bring on?
We had mentioned in a previous podcast the challenges of you know, if you have issued a laptop to someone and that someone comes down with the COVID virus. Do you really want to risk going to pick up that device and move it to someone else? Or is it just best better to get another piece of equipment? Just as we’ve seen with testing supplies and with masks were also seeing challenges right now with things like microphones for computer mic’s and speakerphones and even computers.
You know, I’ve heard of hospitals going out going to the local, IT vendors and without mentioning them you can think of, you know, they all office supply stores and picking up additional equipment to help fill in some of those gaps.
You also may run into issues over the long term of response to a crisis, especially if we see a change in tactics of some of the threat actors to move from ransomware into wiper attacks, for example. If there are wiper attacks, we could find ourselves needing new computers, new hard drives, and a lot of those are coming from countries that have literally been shut down for months and it’s going to take a long time to build that capability back. We have seen wiper attacks happen in the Middle East for example, between two countries over there and when that happened it took, you know hundreds of thousands of dollars or millions of dollars to go out and literally buy new equipment because hard drives could not be reformatted to be reused firmware on a computer was destroyed to the point that you could not even reimage or put new firmware on the systems.
So, the only way too literally build their way out of this crisis was to buy new hardware and COVID right now is putting a real crunch on the ability to manufacture equipment. So, you know, there is a higher demand now, but you know, we are unusually susceptible of you know to the manufacturing delays for not only the mass but also for computers and equipment to help the remote workforce and the vendors that are supplying us with that equipment.
Marti, what are your thoughts on remote workers?
Well, you know before we move on to that topic you raised an issue that I had not thought in detail about. But as you’re getting that new equipment, how are you going to provision it? When you get new equipment in your current environment, you probably have the piece of equipment come into your IT shop, they put the image on it that’s appropriate for your organization, and then they deploy it on to the actual end-user.
Well, can you do all of that remotely if you have to get new equipment out to help support your remote response for an incident that might have occurred? So, that ties in a little bit I think to the remote work or topic. Is your IT folks who normally would provision that are going to be remote can they do a remote provisioning? Can they somehow access the device that’s not previously been on your network because it’s new and is it going to be set up so that that it could permit that access to do some sort of remote provisioning? Or is that device going to have to go to the maybe the home of one of your IT folks for them to provision it and then on to the actual end-user? And of course, all of that increases the risks the more hands that are on any piece of equipment now the increased risk that you could be contaminating individuals as you move it from one location to the next.
You know, there’s been evidence that the COVID Virus can stay on hard surfaces for up to two to three days. So, what processes do you have in place to help maybe sanitize that equipment? Not only sanitize it from an IT technical perspective but sanitize it from a purely physical perspective.
In our prior podcast, we talked a little bit about the remote workforce as it relates to detection, you have many of those same issues as it relates to response. The same kind of ideas around bring your own device and the fact that that might be a device that had previously been on your network and how are you going to connect it today? And what are the security features and functions of that device and does it match up to what you currently have in place for your organization? What kind of access does your remote workforce have in order to support your response activities? Do you have VPN access? Is that going to be an issue?
Some of the same comments about going back to bring your own device. Does the user have an account set up that supports this? If they need to download big files and they only have limited data on their device. Is that going to be something that they’re able to do?
Clyde you want to talk a little bit about maybe the need for increased auditing and potentially higher absenteeism as it relates to remote workforce in your response process?
Absolutely, Marti! One of the things that we also need to think about is as remote workers continue to do their job outside of the typical office it’s going to increase the risk. It’s going to increase the risk because we’re going to stress the capability of VPN’s. Maybe we don’t have licenses for that many connections. Maybe the bandwidth in and out of these organizations, this is, was not designed to handle hundreds or maybe even a thousand people working remotely.
So, there may be some shortcuts that folks need to take to you know to help respond to the crisis but at the same time some of those shortcuts may increase the risk. So especially as we respond to a crisis, we need to also look at performing additional auditing on who is in fact connecting to the system.
And there’s a couple of reasons for that. You want to make sure that only the appropriate people are the authorized individuals are connecting. But the second thing is, when their shift is over, you know, maybe you need to kick those off because maybe you need that additional bandwidth to support the people who are on shift. So that’s one of the auditing pieces on absenteeism, you know, think about your remote workers. Think about your remote workers that may also get sick.
So, what is your you know your “Plan B”, I should say, for higher absenteeism? You know, I would suggest that you know, you’re probably going to be looking or should be looking more to contract staff, you know, putting organizations on retainer to be able to handle additional workload to respond to a cyber incident and you’re going to want to do that now rather than later. Because I mean as John F. Kennedy said, “The time to repair the roof is when the sun is shining”, not when it’s raining.
Marti, any issues or any additional things that need to be addressed on that?
Well, and it’s this I feel like is a little bit similar to when we do incident response exercises with clients. As you talk through things, more things come up that you hadn’t considered previously. And as you were talking, one of the things I thought about was the licensure and if you have a set number of licenses for certain applications and it’s a business license. Oftentimes, that means that that license is only for devices that your company owns. And so, as you maybe move to your remote workforce for your response processes and you start to think, “oh I’m going to put this application on my employees personally on device because that’s what they’re using and that’s what they need”, you may not have licensures.
As you think about putting this on your employee’s device, you may not have a license to put it on that device. You may be limited in your agreement with that application vendor of only putting it on devices that your company owns. So, you might make a risk decision and say in the current environment, we’re going to take that chance and go ahead and put the application on that device. But then you need to think about once this crisis is over, once we have gotten past the incident response, or once we are back to quote normal operations, even after the COVID crisis, then that application needs to be removed from that device. because you don’t have a license to put it on that device.
So, there are many many things to think about. That’s something to think about in normal incident response setting aside the COVID crisis, but particularly now when you might be putting applications on devices that your company doesn’t own that you wouldn’t otherwise be doing even as part of your routine incident response. So again, you know, we often talk about and work with clients in and exercising their incident response plan. You’re going to have multiple things that come up as you do those exercises. So, as you think through these things these are just things to put on your list as considerations.
And again, it’s a risk decision, you might decide we’re going to take the chance, we’re going to go ahead and put it on that personally owned device. Even though our agreement doesn’t allow for that, we don’t have a license to put it on that kind of device. But like everything, as we talk through this it is often a risk decision.
It’s just again something to think about and that’s really what we’re trying to get across in this series of podcast is some of the things you want to think about as you get through the COVID crisis, that aren’t the kinds of things you would normally face in your incident response process.
And, we encourage you to listen to the other portions of our podcast series on incident response in a crisis.
Clyde, I don’t know if you have any closing comments, but I think again we’re just trying to do what we can to support our clients and others in helping you get through these troubled times.
Thank you very much, Marti. Yes, and my closing remarks for this podcast. I would like to remind everyone to go ahead and log on to the cynergistek.com website if you have additional information, there are blog posts that will contain this information and go into greater detail. Feel free to call or reach out to Marti or myself if you do have specific questions, and we would be happy to get you connected to the right folks who can help.
Alright, thank you very much, Clyde and Marti.