Incident response exercises and methodologies to guide best practices for incident response in healthcare institutions

Abstract: In recent years, the threat of cyberattacks has been increasing annually, necessitating organizations to prioritize security measures. This urgency is particularly critical in healthcare institutions, given their status as crucial infrastructures and the potential risks cyberattacks pose to human lives. However, limited IT investment in healthcare institutions has resulted in inadequate cybersecurity measures and underinvestment in IT infrastructure. Outdated and unsupported operating systems pose significant vulnerabilities, escalating the risk of security incidents. Despite the challenges imposed by limited IT investment, organizations must strive to develop resilience that enables swift recovery in the event of a security incident, even while accepting a certain level of risk. Incident response exercises play a vital role in bolstering this resilience.Previous studies on incident response exercises have employed around 40 action cards to organize organizational processes during incidents. This process aims to enhance organizational resilience by facilitating communication within the organization during exercises. However, the importance of communication, although acknowledged during the exercises, has not been fully incorporated into the content, including the creation of incident response manuals for responders and third-party stakeholders. Moreover, there is a scarcity of research papers discussing best practices for crafting incident response manuals. This paper discusses a framework for creating incident response manuals and a methodology for implementing an improvement cycle through incident response training. The incident response manual references NIST SP800-61 and the U.S. military document "Cyber Incident Handling Program," while the incident response exercises draw from reported security incident cases to consolidate key points. Additionally, for healthcare institutions, notable considerations for incident response manuals will be explored, considering past security incident reports that have occurred in healthcare institutions in the recent couple of years. These infections can result in ransom demands, but there have also been cases of double threats where the ransom is demanded alongside the threat of leaking encrypted information. Management must decide on whether to pay the ransom, considering various factors such as public relations and apologies to individuals whose personal information has been compromised and leaked. Also, since the past incident reports indicate that Business Continuity Planning (BCP), which is used in the event of a natural disaster, was useful in the event of an incident, the Incident Command System and the Regional BCP, which is designed to coordinate with other regional healthcare systems, should be included in the considerations.Furthermore, best practices for security incidents in healthcare institutions will be organized by adopting the format of the Resilience Matrix proposed in Horizon2020. The Resilience Matrix categorizes guidelines for pre-incident preparation, incident awareness and response, and post-incident recovery, focusing on broader categories rather than individual roles or technologies. In this case, the matrix will be tailored to the specific roles of healthcare professionals to facilitate further discussions.

Keywords: Cyber-security, Non-technical countermeasures, BCP, Human-centric perspective

DOI: 10.54941/ahfe1004378

Cite this paper:

​