Common Mistakes in IT Incident Response

Last year, U.S. healthcare entities were hit on average with 1,410 cyberattacks each week, up 60 percent from the year before, according to Check Point Research. These incidents could be anything from a third-party vendor’s outage to a tornado to a data lockdown. According to Nick Cofield at Jackson Thornton Technologies, most healthcare practices tend to make one or more of five common mistakes in readying for potential cyberattacks.

The first mistake is that many practices don’t have a written, step-by-step response to use when IT fails. “When practices with a plan get hit, there’s a sense of urgency, but their response is structured and efficient,” Cofield says. “When they don’t have a plan, everyone runs around like their hair is on fire. And the practice and patients suffer for that. The HIPAA fine for willful neglect currently costs a practice $12,794 per incident.

“Some practices may have a written plan, but they have relied too heavily on a stock template for the plan. When they get into a significant incident, they find that the plan is not relevant to their practice. Either the incident is not covered in the template or the response may not relate to their equipment, their data handling setup, or their staffing.” 

To offset those errors, Cofield recommends holding brainstorming sessions with your staff to think through scenarios that could affect your ability to see patients. Review the list of details required to restore your operations and how each function would be affected. For example, what are your plans if the building becomes inaccessible? Who can work from home? Can you provide virtual visits? Will you need a temporary office? 

The second mistake lies with the data backup because recovery relies on this. There is no magic wand to recover data if the backup is corrupted or inaccessible. To avoid that scenario, test the access to the backups and the data’s viability at least annually from outside the practice’s system. A test can uncover concerns in how long it takes to recover or realize systems you’re not backing up.

The third common mistake is not ensuring that every staff member memorizes the steps they take for each type of IT incident. Even the best plan won’t work if staff is unaware of their responsibilities in these situations. “The receptionist may not know that she needs to contact the practice manager when she gets a suspicious email,” Cofield says. Hold a monthly, 15-minute meeting on what to do in a specific incident, such as a ransomware attack. Ask someone from each department what they would do.

The fourth error practices make is that many administrators and physicians mistake IT support for data forensics. “There’s a big difference between managing an IT system and managing a cyberattack,” Cofield says. “A well meaning IT provider could make a mistake that exacerbates the situation. I remember an incident where the IT provider company paid the cyberattack ransom on behalf of their client, thinking it would go away and save the client any problems. But they were not authorized to do that, and there was no data forensics done, and it didn’t go away. IT needs to know the limits of their role. They are not the incidence response mechanism.”

The last of the top common errors in planning is stagnation. The practice creates a plan, and then it gets left on the shelf. Even when your practice has a minor incident that you contain, you should evaluate what went well and what didn’t. Evaluation may uncover that everyone was quick to respond, but that someone didn’t identify the suspicious email quick enough. Or a minor incident might reveal a limitation in insurance coverage that needs to be remedied. “Implement additional safeguards,” Cofield says. “Ask how the incident happened, how to prevent it, and if there’s anything to plan to put us in a better position for next time.

“Healthcare entities need to view their IT incident plan as a living document. It’s continuously evolving, because the threats change constantly.”