The Cerner Podcast is a five-question conversation with clients, partners and industry experts on the latest healthcare and technology topics. Recently, our CEO, Nolan Garrett, joined the podcast to discuss Incident Response Planning for Healthcare organizations. Incident response planning helps health care organizations prepare for security and compliance incidents, including the occurrence of external attacks. A well-maintained and properly executed plan has the ability to provide enormous cost reduction for an organization, but this requires considerable research, development and testing.
Cerner Host: Incident response planning helps healthcare organizations prepare for security and compliance incidents, including the occurrence of external attacks. A well-maintained and properly executed plan has the ability to provide enormous cost reduction for an organization, but this requires considerable research, development and testing. In this episode of the Cerner podcast, we’re joined by Nolan Garrett, previously the chief information security officer at Children’s Hospital Los Angeles. Founded in 1901, CHLA is the first and largest pediatric hospital in southern California, offering more than 350 pediatric specialty programs. Nolan, thank you so much for joining us today.
Nolan: Absolutely. Glad to be here.
Cerner Host: Let’s get started. First, I’d like to talk about the importance of incident response planning. In your view, how critical is this in relation to maintaining a state of security in a healthcare organization?
Nolan: I consider incident response planning to be basic security hygiene. It’s required by HIPAA to begin with, so you must do some form of incident response planning if you’re going to be HIPAA-compliant. We find that incidents occur basically every single day in any medium-sized organization, healthcare entity or larger. Being able to respond to events and have a proper process for how you’re going to handle that response, your communication with the media, your internal communications, can significantly reduce your costs while also expediting the amount of time it takes to actually get a breach resolved. Hopefully, that means fewer compromised records or a lower impact.
Cerner Host: Excellent. You mentioned properly executing incident responses. I’m wondering if you can talk a little bit more about that. It requires suitable testing. Can you discuss what that testing looks like, how effective it is in improving recovery times in the event that a breach does occur?
Nolan: Absolutely. Typically we start in an immature environment where we have just begun incident response planning. We’re going to start with just tabletop-style tests, meaning we’re going to sit down. Maybe we’ll leverage an external consultant, maybe we’ll just write potential incidents on our own.
We’re going to sit around with our team, our incident-response team and have a discussion of “If this incident occurs, what is our response going to be? How are we going to respond? Who’s in charge of those responses? What’s our expected SLA, service-level agreements, around how quickly we’ll respond?”
Once we get that under control and we start to understand what our team and our processes look like, we would then begin to escalate that. Typically in a health organization, you’re having incidents and sometimes potential breaches occur several times a year. Those are great opportunities to test your incident response plan and take the time to do your follow-up, your root cause analysis and feed continuous improvement back into that process.
I typically suggest that if you’re lucky enough to not experience any incidents at all, I would suggest looking at what we call in the industry, red and blue team testing, which basically means you hire an external attacker to try to test your protocols and you run real incident response processes on the inside and evaluate how well you did.
Cerner Host: Excellent. It sounds like it takes a special skill set to really belong on the cybersecurity team. I’m wondering if you can tell us about some of the advice you’d give to hospital leadership looking to employ standard processes, from developing, maintaining and testing an incident response plan and really what kind of team that they would require.
Nolan: Sure, absolutely. What I typically see is incident response plans are commonly championed by the chief information security officer. Due to that, they tend to also be very technical in terms of their focus. Incidents can occur in any number of ways. You could have a laptop stolen out of a car, not a very technical scenario at all. You can have people burning data to CDs and them walking away. You can have people plugging USB drives into computers. You can have people trying to sneak into your sensitive areas, that social engineering aspect. Your incident response team, as you build it, needs to be much more broad than just focused on the technical. It’s very important that you gain executive leadership buy-in. I know that’s somewhat of a cliché. We say that all the time. Incidents, particularly when they turn into a breach or when you find that they are in fact a breach of sensitive data, executives get involved. The last thing you want in those scenarios is for you to end up with too many cooks in the kitchen, as I call it. Especially considering they may not have the technical understanding of how to address the problem. When that occurs, in my experience, you end up with an organization that’s trying to respond to a breach but hamstrings itself in some ways because you have four, five, maybe of the CFO and the compliance officer and maybe the CEO and your CIO all trying to do different things to respond to this but not necessarily in a coordinated effort. I would definitely say one of the key things is socializing your incident response plan and getting it formally approved with your leadership if you’re going to find it successful in the future.
Cerner Host: That sets us up really perfectly for the next question, which is around some of the technical tools that are necessary and skill sets required for responding to incidents. In your view, what are some of the biggest technical and organizational challenges that you can encounter when you’re preparing for data breaches? How do you solve for those?
Nolan: Sure. I actually see both the team and some of the cost of the tools being a major challenge to setting up an effective incident response team. In information security today, we’re basically at a zero percent unemployment rate. We’re expected to be negative, meaning many of us are going to be in consulting, working multiple jobs in the next few years. What that means is it’s very, very difficult for most organizations to have the people they need with the depth of expertise that’s needed. You may need people who are experts in servers and in endpoints and in applications, but you also have that physical security component, your compliance component, your PR. To be able to have all of those people on staff in a room just sitting around waiting for an incident is very, very expensive. I think that many organizations tend to assume, “Well, I have security people on staff. They’re security experts. They must also be able to do incident response. While that may be true, they’re typically not sitting around waiting for an incident to occur and then going to have the availability to commit months to a particular response. My suggestion is, unless you’re a very, very large organization, I would focus on finding the appropriate external support through retainer or some kind of contract that you can reach out to in the event that an incident occurs. Allow those experts to come in and help you. I think what you’ll also find in that scenario is the experience that they have from dealing with incidents each and every day. They’ll be much faster at helping you identify and then mitigate whatever the source of that incident is.
Cerner Host: A lot of really solid points, Nolan. Finally, I’d like to talk a little bit about future state. What do the next five years in security and compliance look like? Maybe you can talk us through some of the innovative technologies that you see impacting security and incident response teams.
Nolan: Sure, absolutely. Some of the technologies are getting really, really interesting. There are some great tools around threat hunting, as we call it, meaning the ability to identify and link events that occur in your environment back to maybe a potential bad actor. There are some really cool technologies there. I think, as I look more at where healthcare and security is going in the next five years, we’re going to be dealing with IoT, obviously marketing buzzword. We’re going to be dealing with a lot of endpoints that touch patient data. Biomed is definitely one of those, or clinical engineering, depending on what your organization calls it. We have things that are devices connected to patients that previously we have considered to be secure but now are running Microsoft Windows and Linux and various operating systems that we know have potential vulnerabilities or will identify some in the future. The scope of what we have to protect is going to change substantially. I also think that as we see this decentralization that’s beginning to occur within healthcare, it means you’re going to have to figure out how to protect those devices when they’re not on your network, when you can’t just walk over to them and check them out. I don’t think we have the technologies yet to effectively do that. We’re getting there. There are some cool technologies on the horizon, but they’re not really implemented in production today. I think we’re still going to see how those pan out over the next couple of years.
Cerner Host: Excellent. Nolan, really great insights. Thank you so much for being here today.
Nolan: Absolutely. Thank you for having me.
For the full podcast: http://bit.ly/2LdEQem