Many healthcare entities do not have a plan in place to respond to and handle a cyber breach. There is a lot of confusing information going around – by people who may not be experts. A lot of questions come up right away for example, “What authorities need to be notified?” “How do we document the details of the event?” “What kind of legal counsel is needed?”
If you have cyber insurance, it may cover the monetary losses but does it also help with the critical management of all the moving parts after a breach occurs? Having a data breach coach could be the most valuable part of your cyber insurance coverage. One of Ultra’s previous blog posts outlined the common mistakes made after a breach — click here to read more.
To address the immediate needs and mitigate damages, an article posted on the IT Business Edge website outlined five critical steps to take after a breach. The article points out that we have long since passed an era when 100 percent prevention of security breaches was even remotely possible, especially when it only takes a single, seemingly harmless activity — such as an employee clicking a link, using an insecure Wi-Fi connection, or downloading a corrupted software update — to unleash a full-scale infection. This, however, doesn’t mean your enterprise is helpless and vulnerable. On the contrary, you can dramatically improve your ability to avoid disaster and mitigate damage if you take the right actions. Here are five critical steps to take after a breach:
#1 Identify the attack. It’s important to identify which system, services and devices have been compromised. For example, corporate email, online customer login pages, shared drives, etc. Ask yourself, who is the target within your organization? Does it stem from a host on your network, or is it coming from outside your perimeter?
Don’t forget to gather information about the command and control servers that were used in the attack, e.g., IP addresses, domain names, etc.
Determine the type of attack, is it a data stealer, DDoS, remote access, etc.?
Is it targeted specifically for your company? Your industry? At a product or service you use? What was/is the agenda of the attack – economic, social, political, etc.?
#2 Quarantine the damage. Prevent spreading the attack to others and causing further damage by isolating compromised endpoints and assets. You cannot take your network offline, because that would hurt business. Quarantine only the infected servers, computers and devices.
Tip: In quarantine, they can be examined, remedied and brought back online.
#3 Disinfect. Now that the infection has been quarantined, it’s time to get out your rubber gloves. Compare pre-infection and post-infection backups. Start with the most critical systems first. Remember that a network breach is considered a crime, so try not to destroy valuable evidence.
Tip: Make safe, stable copies of any illegal content and store on an isolated system, preventing accidental re-infection. Consult with your corporate legal counsel and ensure that you have the most up to date and accurate advice.
#4 Develop a communication plan. Legally, you may need to disclose the attack, if not publicly, then at least to those potentially affected, e.g., customers, partners or other stakeholders. Decide if sharing information at this point is a necessary public relations move. There are professionals who specialize in the field of network security breaches, e.g., PR communications professionals and lawyers.
#5 Re-secure the network. Before putting any server, computer or device back online, check, double-check and triple-check. All compromised or potentially compromised passwords should be changed.
Tip: New passwords should incorporate best practices for strength and security. Check for configuration errors, download and install the latest security patches. Update network hardware security settings. Don’t forget the human factor. Educate all employees on how to play an active role in maintaining network security.