hic-tcr tactical crisis responsePerfect timing rarely happens these days but we have been discussing updating incident response plans based on what we have learned in the last two months. In fact, we ended our last episode saying the response plan update is one of the most important things you should do. Like magic Erik Decker posts on LinkedIn this week that the HIC group has finished a new guide specifically about crisis response. You know what we are about to talk about today.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

New Tactical Crisis Response Guide- Ep 257

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to TheHIPAABootCamp.com

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

 If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Message from Ken Sims:

I shared your “5 Year Birthday” image on Facebook with the following comment:


This is one of the few podcasts that I’ve listened to every episode of. I didn’t get started at the beginning, but I went back and downloaded them all to get caught up. Thanks for the reference Matthew Christopher

PS: It claims to be about HIPAA, but it’s really about information security and common sense!


and I spelled HIPAA right!! But I’m still no relation to David!

Thanks, and Happy Birthday!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Top 10 Routinely Exploited Vulnerabilities from OCR

On May 18, OCR published on their security listserv a reiteration of the alert published on May 12 from CISA.

Recently the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security (DHS) issued an alert identifying the top 10 cybersecurity vulnerabilities routinely exploited by foreign malicious actors. OCR is sharing this alert with our listserv to raise awareness of these vulnerabilities so organizations can take appropriate actions to reduce the potential risk of exploitation.

National Cyber Awareness System Alerts: Top 10 Routinely Exploited Vulnerabilitiespasted image 0 1

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs) — to help organizations reduce the risk of these foreign threats.

Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below.

CISA Alert AA20-133A

This document will make most people glaze over. It is essential that you make sure your IT team reviews this information and explains if you are protected from these vulnerabilities. Understanding the technical specifics isn’t necessary but making sure someone does and you have a firm response to your questions. Oh, and make sure you document where you stand and any plans to mitigate issues.

Since many of these are very old and OCR is sending it out to make people aware, I would listen carefully. Maybe it is just that but we always believe that something has happened when a thing like this comes out. It isn’t their normal cybersecurity newsletter stuff.

New Tactical Crisis Response Guide

Resources are released more frequently from organizations working to provide the tools, resources, and education for businesses to manage cybersecurity. In particular, the healthcare industry has seen a lot of helpful information and tools released like HICP, HIC-SCRiM and now whatever we end up calling this HIC-TCR (Hick-Ticker?). The information in this guide is certainly more timely than the others.

I am very excited about this guide and think it offers something that we have all needed for some time.  The fact that they managed to work on this during the crisis is especially remarkable. We owe them a great deal of thanks for their efforts.

pasted image 0

Health Industry Cybersecurity Tactical Crisis Response Guide (HIC-TCR)

In the introduction there is a clear statement of the reason you should use this new guide:

During a crisis, organizations need a tactical response for managing the cybersecurity threat that can occur. This document is constructed by industry and government experts to help guide through response activities. Smaller organizations can leverage this document as a list of activities to consider. Larger organizations can leverage this document as a sanity check for existing plans. In either case the level of risk and exposure to any organization is specific. The activities listed here are suggestions to help with a practical and tactical response and are not intended to account for any given organizational incident response plan.

Later they point out again the importance of healthcare organizations being prepared for a crisis.

Criminals love to take advantage of a crisis. During the COVID-19 crisis, threat actors leveraged the pandemic to deploy phishing, malware, remote access, teleworking and domain attacks. The efficacy of these attacks was bolstered by the rapid change the health industry made in order to care for sick patients, deploy remote diagnostic and therapeutic treatments and shift a large portion of its workforce to work from home.

While the COVID-19 pandemic has fundamentally changed the landscape, it is not unusual to make sudden and drastic changes to the technology platforms that support an organization’s crisis management activities. These changes can introduce new vulnerabilities and new attack vectors. Coupled with an increase in threat activity, organizations can be left with a perfect-storm style scenario that gives an advantage to the threat actors.

During a crisis, the importance of an organization’s cybersecurity posture is even more evident; for each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-attacks increases as well. To thwart these attacks before they occur, it is essential for health care organizations to establish, implement, and maintain current and effective cybersecurity practices.

pasted image 0 3

Response Guide Sections

The organization of the crisis response guide breaks the document into workable parts.  They do point out that these are suggestions again.  They also add a bit about self-assessment suggestions. It is essential that assessments are done to know what you should worry about and where you stand. There is no other way to build a game plan that works. It is like just grabbing random parts and building a car because you know you want to go for a ride.

While the guide points out that they do not intend the list to be “exhaustive” a replacement for your response plan. It should be considered whether you are building a plan or you have a mature one.  The important thing is to learn from what they created based on lessons learned from COVID-19.

The four focus areas of the guide include:

  1. Education and Outreach
  2. Enhance Prevention Techniques
  3. Enhance Detection and Response
  4. Take Care of the Team

Education and Outreach

Who would have thought it would start with education and outreach! We never talk about getting people involved and educated about cybersecurity around here – do we? I really liked this statement in the opening of the focus area discussion:

the value of effective organizational education and outreach as a force multiplier cannot be underestimated.

Communication Plans

The discussion covers communications requirements first. Yep, we talked about that one or ten times. It is very nice how they point out that there must be a plan that includes various methods and channels for communicating with different groups based on the needs of the audience.  The components they suggest the communication plan should include are:

  • Organizational Leadership Communication Plan
  • IT Leadership Communication Plan
  • Clinical Leadership Communication Plan
  • All Users Communication Plan
  • External Communication Plan

Policy & Procedure Review

At first, I was surprised to see this covered here but it does make sense when you look at the big picture.  The opening to this section says enough really:

Consider that exceptional circumstances might pressure existing policy structure. Though it is important for cybersecurity teams to be flexible with the organization they also, at a minimum, must track these exceptions during any crisis to guide the organization back to normalcy once the crisis is over and inform continuous improvement processes.

The suggestions cover about 10 areas including all the legal, compliance, IT teams working together so that policies and procedures can be amended and updated quickly, making sure you document everything that is changed, and many more.

The idea in both of these sections is to get the plans in place and make sure everyone knows what to do.

Enhance Prevention Techniques

This area covers different topics than you would initially expect. They acknowledge that we should already have certain prevent safeguards in place. The focus they suggest is on three specific practices:

  • Limit Potential Attack Surface
  • Bolster Remote Access
  • Leverage Threat Intelligence Feeds

The suggestions in this area to reduce the attack surface include specific vulnerability management elements that should be in place considering how we have to adapt during a crisis. With that in mind once a vulnerability is identified there must be a plan and methods for accelerated patching when these vulnerabilities may be used for attacks.  Those make a lot of sense. They pay specific attention to Medical Devices and IoT so that their vulnerabilities are not overlooked.

The final two points for reducing the attack surface relate to managing vendors and endpoints.  If you need to let in vendors to help manage devices or vulnerabilities how do you make sure you don’t leave that open except for the minimum time necessary to get the job done. Any opening that must be temporarily opened must be closed when the need is passed. Managing all the changes in endpoints is one we know well already.

Bolstering remote access is mostly relating to the different methods and authentication controls to consider. The final section on threat intelligence feeds includes some handy references. The importance of knowing what threats are coming at you and what new vulnerabilities have been uncovered by the criminals is essential to being able to respond to them in a timely manner.  This is a tool your tech team should be handling in some manner.

Enhance Detection & Response

Here is the section that most people consider the incident response requirements under cybersecurity. Clearly, the sections we just covered matter very much too. That is why you have to do more than just tech support plans for an incident. The bottom line is we must accept the fact that there will be an attack to deal with at some point. The saying was attributed to a criminal hacker that “you have to be right every time, I just have to be right once to get in”.

Just as the section on prevention above, many of the points made in this area are ones we have addressed many different times. Each organization should review these points and determine how they would be able to adapt during the crisis. We have said each week there is a great concern about what has been happening on all of these networks because of the hasty changes that were made.

If you ain’t looking, trouble is a cookin’!

Responding teams need to have tools and capabilities prior to the occurrence of an incident or at least the ability to gain those capabilities immediately on demand. The authority to direct the actions of others who may need to be involved is important for command of the crisis.

Take Care Of The Team

This final one is an area I never thought that much until I learned from experience. I have mentioned it many times that we must consider the impact any crisis has on the team. Not only are they expected to be part of the team managing the crisis within the business but they have personal responsibilities too. The stress that the situation creates can often result in mistakes and a level of burnout most can’t imagine unless they have been in the thick of it. Even when you have been there before  a time may come when you face something unprecedented like COVID-19.

This is a section that I encourage you to read and review closely. It may benefit you to share it with others in the organization that are outside the team to help them understand what to expect. These suggestions cover the importance of communication, assigning roles and responsibilities, monitoring employee well-being, adapting to remote work, and constant evaluation of the state of the workforce during the crisis. The importance of doing “an honest and pragmatic assessment” of the organization’s capabilities is essential.

The guide closes with a list of resources available to all organizations when planning their response and surviving the peak of a crisis.

My team will certainly be using this guide for our own planning, planning with our clients, and teaching others how to build plans. This guide may have been done in the peak of a crisis but I think many of us will find it exceptionally useful for years to come.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.