A checklist to help healthcare organizations respond to a serious cyberattack

How should organizations in the healthcare sector respond to outage due to a serious cyberattack? The Healthcare and Public Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has released a tactical checklist aimed at helping operational staff and executive management of healthcare organizations execute response and recovery in the best possible way.

“[The Operational Continuity-Cyber Incident checklist] represents the best collective thinking of health sector cybersecurity and emergency management executives contributing to the HSCC Incident Response/Business Continuity Task Group,” the Council says.

The list of contributors includes CISOs, a director of cybersecurity operations and incident response, a cybersecurity program manager, and healthcare and business continuity management experts from several health care systems across the US.

About the checklist

The HSCC works with the Department of Health & Human Services (HHS) and the Food and Drugs Administration (FDA) to identify and mitigate systemic threats to critical healthcare infrastructure – and this includes cyberattacks.

The checklist lists specific actions and activities individuals in various command positions at healthcare organizations should consider taking to respond to and recover from a cyberattack-related disruption/outage.

For example, there should be an “incident commander” who “provides overall strategic direction on all site-specific response actions and activities.”

Other individuals (or teams) in charge of coordinating response and recovery include:

• Medical-technical specialist/team
• Safety officer
• Operations section chief
• Planning section chief
• Finance section chief
• Logistic section chief
• Public information officer
• Liaison officer
• Intelligence (IS/IT) section chief

That last role should be filled by an IS/IT professional, the checklist says, and they should “partner with cybersecurity to inform incident response decisions and activities,” as well as coordinate intelligence and investigation efforts.

A pressing need

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to implement of a cyber incident response plan. Unfortunately, many medical practices still don’t have one.

The newly released checklist has been developed and released quickly due to the Ukraine-Russia conflict, as it is expected that more attacks that lead to disruptions to healthcare delivery organizations in the US might be in the offing.

In the meantime, healthcare organizations are bearing the brunt of so many ransomware attacks these days, and this checklist should help them create and execute a cyber incident response plan when the need arises.