As we explored in the article titled “The Importance of an Incident Response Plan”, one of the most cost- effective mitigation tools against cybersecurity breaches is the incident response (IR) plan. In addition to the IR plan, having a formal IR team periodically testing the developed IR plan was shown to boost this effectiveness, providing medical device manufacturers with solid footing for an effective response to an incident.
In this article, we will outline an incident response plan development methodology to provide a solid starting point for crafting a plan that fits your specific organizational need. With proper scoping, a well-developed incident response plan can start small and scale as required. So, no matter where you are in your risk mitigation journey, the important thing is to start. By taking a small first step, you will be on your way. “Well begun is half done”, according to Aristotle. Our mission is to help you begin well. Let’s get started.
Well, not all the same. Each organization should develop an IR plan that fits their needs and is based on the size and structure of their organization. An additional consideration is the resource availability to develop and maintain the plan. Given the evergreen nature of the IR plan, the initial development cost is only part of the overall resource budget required. In any case, all functional IR plans do share some common characteristics, and we’ll explore those next.
The IR team should include representatives of the various device security stakeholders in your organization. Depending on the size and structure of the organization, the composition of this team will vary. In large organizations, the team might consist of the following functions – Device Cybersecurity, IT Security, Legal, Corporate Communications, Customer Support, Compliance, Regulatory. In smaller organizations, there might only be a handful of resources available to respond to incidents. In either case, it has been shown conclusively that organizations with an IR team following an IR plan are the most efficient and effective in responding to security incidents. NOTE: if possible, identify backup individuals for key roles on the team.
Internal communication should be straightforward once the stakeholders are identified. This can be accomplished in a group setting, via email, individually or any combination. However, the plan should contain sufficient details regarding communication (who, what, how) so that it can be followed easily with little opportunity for error.
External communications are a little more convoluted. Understanding the rules, such as the HIPAA Breach Notification Rule, is not always straightforward. It is highly recommended that you review the applicable rules and integrate those requirements into your communication plan, ahead of an incident. Putting this formal procedure in place will save a tremendous amount of response time, in the event of an incident. A couple of recommended resources:
HIPAA Breach Notification Rule, 45 CFR 164.400-414, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
What are the HIPAA Breach Notification Requirements?, HIPAA Journal, https://www.hipaajournal.com/hipaa-breach-notification-requirements/
Does your organization actively monitor threats and vulnerabilities associated with your devices? Is your organization investigating methods for generating device software bills of materials or device SBOMs? By generating component lists for your devices, you will have the advantage of visibility when vulnerabilities are announced. Using the lists of components, you will be able to assess the impact of a vulnerability, in any given component, much more quickly. Automated generation and maintenance tools can be utilized here to provide that much needed visibility across multiple product lines and versions.
Do you subscribe to any vulnerability data feeds, such as those offered by National Institute of Standards and Technology (NIST)? They offer various feeds including JSON Vulnerability Feeds and Vulnerability Vendor Comments. Find out more by visiting – https://nvd.nist.gov/vuln/data-feeds
These are the processes and procedures that enable your organization to effectively recover from an incident. This requires the processes and technology to fully investigate incidents. Understanding of root cause is necessary so that mitigation techniques can be developed and applied to prevent similar future incidents. Surviving a security incident is not enough if your organization does not develop a risk infrastructure that prevents repeat exposure to the same vulnerability. Again, thorough understanding of the security incident and associated details is required for this analysis. For a bit more discussion of the eradication and recovery process, see the NIST Guide mentioned on page one of this document, which can be found at – https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Objective measurements of the organization’s handling of a security incident should be developed and reviewed. The metrics should align with organizational objectives and goals, with respect to handling security incidents. There are various metrics that can be utilized, and here are a few examples:
Medical device manufacturers must have an IR plan in place in order to respond effectively to security incidents. There are specific components of an IR plan that facilitate the end goal of effective response, and the undertaking of developing these components is a worthy investment of resources. Organizations that respond effectively and efficiently to security incidents consistently earn praise from customers and regulators, in addition to fostering an internal, proactive culture.
CEO, Vigilant Ops
Former Head of Medical Device Cybersecurity, Bayer
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.