HSCC Published Operational Continuity-Cyber Incident Checklist

An Operational Continuity-Cyber Incident (OCCI) checklist published by the Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG)  works as a versatile template for dealing with serious cyberattacks that result in lengthy system breakdowns, like ransomware attacks.

Ransomware attacks on healthcare companies more than doubled throughout the pandemic and still continue to increase. Ransomware threat actors engage in the theft of sensitive information that has a great price on the black market, threaten to post that information to compel victims into paying the ransom, and the prolonged system outages because of the attacks can trigger significant financial deficits, escalating the possibility of paying the ransom. Alerts were lately given by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) regarding ransomware gangs that are actively attacking critical infrastructure, such as healthcare companies.

Besides cybercriminal groups, nation-state threat actors target hospitals. The Five Eyes cybersecurity agencies lately cautioned that threats of cyberattacks on critical infrastructure increased as retaliation by Russia against the U.S. for the sanctions enforced. There is additionally a danger that healthcare companies may become victims to cyber events that were directed at companies in Ukraine, as is the situation with the 2017 NotPetya wiper malware attacks. The progress and release of the list were hastened because of the growing geopolitical tensions coming from the conflict between Ukraine and Russia, and the growing threat to healthcare companies in the U.S.

Because of the great threat of attacks, healthcare companies must get ready for attacks and be sure that the company can still operate when it cannot quickly re-establish access to critical systems. With an incident response plan that could be promptly executed, the damage brought about and the effect on patients and healthcare services can be minimized.

The OCCI toolkit consists of a checklist of necessary steps to take in the first 12 hours following a security incident and describes actions and things to consider throughout cybersecurity occurrences. The checklist is divided into role-based segments that line up with the Incident Command System though could be polished or changed to complement the size, resources, difficulty, and abilities of various companies, including small doctor practices and big hospitals and health systems.

An incident commander must be designated to give a general strategic course on all response steps and activities, a medical-technical expert ought to notify the Incident Commander of concerns associated with the reaction, and a public information officer is needed to contact internal and external stakeholders, company staff, patients as well as their families, and the press. The checklist additionally offers a listing of actions that must be accomplished by the safety officer and section chiefs. With regard to smaller companies, those jobs may have been combined to match their company structures.

The checklist was made from the information given by top health industry cybersecurity and emergency management officers that take part in the HSCC Incident Response/Business Continuity (IRBC) Task Group.