People Get Ready, Cyber Incidents are Coming

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:16] Hello and welcome to CyberPHIx, the audio resource for information security, privacy and compliance for the health care industry. I'm your host, Brian Selfridge. Each episode, we'll be bringing you pertinent information from thought leaders and health care information security and privacy. This episode, we'll be speaking to Nadia Fahim-Koster, who is a partner in Meditology Services IT Risk Management Practice and spearheads the firm's privacy and security programs and teams. I will be speaking with Nadia today about incident response, planning and execution for health care entities specifically. So let's dive right into it.

Brian Selfridge: [00:00:53] Hi, this is Brian Selfridge, host of the CyberPHIx, a leading podcast for information security, privacy, specifically for the health care industry. I would like to welcome my guest, Nadia Fahim-Koster. Nadia is a partner and owner of Meditology Services, who I'm hoping you are familiar with at this point, given the Meditology operates and delivers this podcast. She is an industry thought leader and expert in managing health care, privacy and security programs. She draws upon more than 20 years of operational experience as a former CISO and information privacy officer with two large regional hospital physician networks in the Atlanta market. She is a partner in Meditology Services IT Risk Management Practice and spearheads the firm's privacy and security programs and teams. She is a sought after consultant and presenter on privacy, security and compliance programs, including addressing all requirements for HIPAA, HITECH, GDPR, and more. I'm excited to speak to Nadia today about incident response, planning and testing for health care entities. We're going to talk about incident response, leading practices and pitfalls and response simulations, tabletop exercises, changes to incident response approaches during covid-19. We'll talk a little bit about ransomware and much more so. Nadia, welcome to the CyberPHIx and thanks so much for taking the time to be here with us today.

Nadia Fahim-Koster: [00:02:03] Thank you, Brian, for having me. I am excited to be here with you today. You promised this was going to be a low pressure type interview. So I'm excited to be here. I'm really excited about the topic, too. That's one of my favorite engagements to lead, so I can't wait.

Brian Selfridge: [00:02:18] That's great. That's my usual trick, is to claim you're going to get softball questions and then and then throw the curveballs at you right away. So get ready. All right. So we're going to talk about incident response planning and especially tabletop exercises, which I mentioned in the intro, just to level set with the audience. Just very briefly, could you explain what is a tabletop exercise and what does that term really involve?

Nadia Fahim-Koster: [00:02:39] So tabletop exercise really is the the most effective way for an organization to test its incident response capabilities; probably at the cheapest way possible. Right. And the less traumatic for the team because it does not involve working on live productive systems.

Nadia Fahim-Koster: [00:03:01] It's a discussion based exercise. And during this exercise, you would talk about the roles that each team member in the Security Information Response Team will have during an incident. And they respond to a particular scenario or situation right then. And there doesn't involve deploying any equipment or any other resources than just the participants. The incident response plan, if they have one, and just talking through these exercises.

Brian Selfridge: [00:03:34] So we have a lot of different threats to anticipate in the health care ecosystem. It seems like every day we're getting hit with ransomware and hackers and employees that make mistakes and release data in unplanned ways so that the incidents are many and common when you get to a tabletop exercise.

Brian Selfridge: [00:03:55] What are some of the scenarios that are typically used for those exercise? Well, how do you hone in on choosing a scenario that's going to have the most impact in that type of situation that you just mentioned?

Nadia Fahim-Koster: [00:04:05] Sure. So let's start talking maybe on the on the type of cyber events that really would warrant an organization to test their response with. And typically it's it's around ransomware events. Right. It's it's really the big topic. It's been at the forefront of CISOs for the last few years. And it's you know, it's really not slowing.

Nadia Fahim-Koster: [00:04:29] If anything, it's gaining steam, especially in the Covid situation right now. We'll talk about it a little bit. But generally, once you know the area that you really want to explore. So, a ransomware event, for instance, then the beauty of an incident response tabletop exercise is you can build that scenario to scale up as much as you want it to scale up or just stay very narrow and focused. And so the greatest majority of the clients that I've worked with, they like the idea of starting a scenario that starts small. Something happens on day one and they think, OK, we nailed it. We know what happened. We got this under control. And then I start adding a second phase to the same day or adding something more complex on day three. And then it builds up; the terror organizations shutting down and how do they respond. And so the trick, I think, of having a very successful exercise is being able to design an incident that explores the different capabilities of every single member of the incident response team to make sure they know how to respond. But more important, when you start getting outside of the IT world and start getting into the business world, I think there's an even bigger value because information technology these days, it's not this big black box. It's very much part of the business operations of an organization, and at some point that incident is going to bleed into the rest of the business and big decisions may have to be made like, do we send our patients? Do we divert them to another organization? Do we shut down some services? Do we shut down a website? Just very, very big decisions that at some point may need to be made by the board of directors. And I think the better prepared organization is doing a tabletop, the better they will be in real time.

Nadia Fahim-Koster: [00:06:25] But I think designing a nice tabletop exercise I think is at the core of it.

Brian Selfridge: [00:06:30] Now, in a real world incident, you would have a lot of people involved from the beginning of the incident till till the end, where you get sort of board level decisions happening. What's the ideal makeup and stakeholder participant type of mix for for a tabletop? Is it you have all your tactical, you know, incident responders, the folks there at the table. Do you have the board? You have the CEO somewhere in between. How do you how do you do that without having too many people, you know, at the table?

Nadia Fahim-Koster: [00:06:59] So before I answer this question, I have to give you a little anecdote, because I don't think I'll ever forget this. You know, you're a former CISO, Brian, too. And I'm sure you've dealt with, you know, incident response live. Right.

Nadia Fahim-Koster: [00:07:11] And so here I am at one of my former jobs as a CISO and the data breach notification rule had just gone into effect. So everybody's on high alert. And I'm just very proud of my little self at a time ahead of what I thought was a sort of incident response plan. We had never walk through it, mind you. But I had one and I felt prepared. Now, luckily, I had read that plan multiple times. Part of it, I wrote it with a team, so I was fairly familiar with it. And sure, I could just whip it up and go from start to finish. So we have an incident that involved possible disappearance of some backup tapes in one of the the ambulatory centers, one of the big ambulatory centers that happened to me to be in the same building as an executive. And so we get wind of the situation. We started early preliminary investigation. I get a call from one of the executives and I'm told, well, he's walking up and down the building, looking through closets, opening every drawer he can. He's personally going to look for those tapes and right then and there, that whole neat little process ahead, structured to respond to a tabletop exercise, just got completely hijacked. And now I'm having to pull somebody back in that I had no idea it was going to be involved because they were not really part of that sort of scene to begin with.

Nadia Fahim-Koster: [00:08:33] And so that got me thinking maybe we do need to start thinking of how to involve the business. But to answer your question here, there are different ways of conducting the tabletop. You can you can start with just the IT department and information security. And that really is a much more tactical operational level. You have an incident command team members tactically walk through it because when there's an incident, they have to be able to respond to it. They have to be able to mitigate it. There are a lot of technical components to responding to an incident that cannot be ignored. So that's phase one. The second component of an incident response is learning what the capabilities are for when that smaller team, the SWAT team, needs to escalate now to the management of the organization or the executive team. And so it's always a good thing to be able to explore how that handoff happens between that sort team and then the management team. But because not every incident would warrant you reaching out to the management team, more importantly, not every incident, we weren't reaching out to the top executive team and the board of directors. So exploring those capabilities separately is a good thing. When you have a smaller organization, sometimes you're able to combine the middle tier and the high tier higher tier in one incident response.

Nadia Fahim-Koster: [00:09:58] But unfortunately, we find it's not always possible. The executive team time is very restricted. So we're lucky if we can have an hour of their time to kind of really run through it. And there are ways to be able to effectively run an instant response table top with that team without sucking up four or five hours of their time.

Brian Selfridge: [00:10:17] Over the years, I've heard health care security leaders say things like: "I have incidents every day. I don't need to run a tabletop simulation. We simulated it. We go through it." But how do you how do you respond to that? Why would organizations choose to run simulation? What value is gained beyond living through all these real-world day to day incidents?

Nadia Fahim-Koster: [00:10:37] It's an interesting thing to say we will run through incidents every day. You're always going to have that one incident that is so complex in nature. And actually one of the ones who design it, it starts with the IT department.

Nadia Fahim-Koster: [00:10:53] With a laptop of one person and next thing you know, medical devices are shutting down on patient floors, and so once you go through something that traumatic and, unless you really kind of walk through it, before it happens, it would be very difficult to keep all hands on deck and flow through it logically. But even in scenarios where I've done this with organizations and it's always fascinating to me where at face value they don't seem to have a robust response plan. And you're going there's no way they were able to respond to this with what they have here documented on paper. It's almost a lot of institutional knowledge they bring to the table. But then the one question you ask them is if your CISO were to drop out tomorrow with your team and they turnover, can a new team come in and take over where you left off without a solid plan? And answer was always no. And so that's kind of a wake up call. But there are always some areas that may not have been explored thoroughly, like cyber security, cyber liability insurance. Are they really covered as they cover everything that they need? This issue with the version of whatever we get to that decision point organizations are really not sure how to do it. Some of them have never done it. And it becomes a huge question. Well, jeez, what do we do? What should we do? How do we do it? And they realize we need to augment the plan, some other organization, when it's time to notify the authorities, the FBI, this huge reluctance to go there. And and then I guess with the executive team and they're more than OK going going there. So sometimes there are disconnects even in between two different entities with within the same organization. I think it's very important to be able to have these discussions beforehand and make sure that all the hands of head of points are appropriately kind of addressed.

Brian Selfridge: [00:12:50] It's funny you mention that real world example. I remember I was I was about six months into my first job and saying the same thing. I thought I had this handled. I got a pretty good idea of instant response. And then we had a computer worm take over over half the network between 2:00 and 3:00 in the morning for a zero day attack. No fix, no patch. And the rule book just went out the window; we learned a lot and we got a lot better at the response. But until you get one of those big, big incidents, it's hard to understand. We were just whacking down the models of little email incidents and, you know, a little malware things.

Brian Selfridge: [00:13:25] It's just way much different when it gets larger scale. So what are some of the more common organizational risks that you see as you do these these tabletops and you start surfacing challenges or gaps in the process or lack of information? What are some of the the risks that you've seen cropping up as you do this, that maybe if you didn't do the exercise would not have surfaced until the real incident?

Nadia Fahim-Koster: [00:13:49] Documentation seems to always be an issue. It's back to this institutional knowledge because what we tried to do when we do this instant response tabletops, we'd like to have a copy of the response plan that your organization have has.

Nadia Fahim-Koster: [00:14:05] And I find myself oftentimes going back to your organization saying, OK, this is what you sent me. Is there something else? I'm sure there's nothing else that goes along with just this piece. Then they'll send you something else. And then I put my report together saying plan is insufficient, doesn't cover all that, you know, and then they'll send me more stuff. And next thing you know, I may have ten, 15 documents that I'll point to certain pieces and functions of disaster response plan. But there's not one cohesive, coherent kind of program or document that pulls it all together and makes it difficult if there's a changeover within the organization, especially at the management level or the leadership of the user response plan, the new person, it will take a long time for that new person to really figure out what's going on and how to run it.

Nadia Fahim-Koster: [00:14:53] We're also finding out that there are some gaps when it comes to involving third party members. Maybe let's try to figure out on our own and then that piece gets forgotten. Also not having the appropriate players at the table. So, for instance, many times I'm hearing, well, no, we don't involve the privacy office or compliance office right away until we're 100 percent sure this is from the security team.

Nadia Fahim-Koster: [00:15:21] And it may be a server admin or network engineer. And, you know, with all due respect, they know how to do their job very, very well. But there absolutely is a compliance perspective that needs to be brought on very early on because and that working within the security team may not always discern that. OK, so we had ransomware events. We definitely know that there was no exfiltration, for example, but our systems were down for a good eighteen hours, but no big deal because we covered everything, well, not so fast. Privacy still needs to look at it because OCR says that, you know, when you have an issue with availability and possibly integrity of the data, that could still be a breach notification event. So it's no longer just confidentiality with respect to ransomware. And so that's why it's very important that, again, having a thorough plan that's been tested, you get to realize which members of the organization should have been at the table that, you know, in their clinical services sometimes get forgotten, clinical engineering get forgotten, forgotten. And so those are some of the gotchas.

Brian Selfridge: [00:16:33] I think you mentioned the third parties in particular. And that dependency, I mean, it seems like there's this major tectonic shift going on where it's not just I.T. systems reporting the cloud anymore. It's like big electronic health records, clinical and billing.

Brian Selfridge: [00:16:48] All the core business systems are all now reliant on third parties. And those third parties have fourth parties and fifth parties. How do you recommend organizations start to get prepared for having to loop in those third parties during a real incidence? And what can organizations do now to to sort of tighten up that communication process for that preparation anyway?

Nadia Fahim-Koster: [00:17:11] Yeah, and it's it is becoming like just in the last two years, that whole environment has become even more complex. Right. And so I've had some organizations where they actually had their I.T. vendors on the phone doing that. They you know, they had their top brass company on the phone. They also had the SOC vendor on the phone as we were stepping through it.

Nadia Fahim-Koster: [00:17:39] And it was actually very cool to see that organization kind of really had it together where, as soon as we started on the first slide and this is what happened, they they quickly talked through: we would do one, two, three, but then we would go ahead and call the vendor. And so the vendor that will be on the line saying this is what we will be doing. This is information we would be providing to organization. And they kind of all jumped in and answered those questions. And that worked well, because then you really got the sense that, yes, they are prepared, they know how to handle things back and forth between them and the vendor. We've had another organization where they brought in the cybersecurity, the cyber liability vendor to the table.

Nadia Fahim-Koster: [00:18:23] And we actually all learned a ton from the vendor and the capabilities that they have and what they can offer up to organizations, something that the organization wasn't quite aware of. At the end of the day, they knew they had coverage, but they didn't quite understand the extent of that coverage. And so testing that was good. But perhaps,  one of the bigger pieces that's still missing is when you have a third party vendor that handles either system or your PACS system or your lab system, some some big components of your ability to deliver care.

Nadia Fahim-Koster: [00:19:00] And what happens when that system goes down at the vendor site and when they notify you? Do you do you have plans on how to recover and how to keep performing and taking care of your patients with that that component? Has that ever been tested? And so those are other scenarios to consider when running through these exercises.

Brian Selfridge: [00:19:21] So how cooperative and responsive have third party vendors been from your experience, either real world incidents or the tabletops? Are they are they showed up there at your side working through it or if the breach is related to them? I know sometimes. What was that Nuance that a big breach as a couple of the third parties transcription company and and then all of a sudden everybody wanted to flood that vendor with what's happening, what's going on and communicate with us. And I think there was sort of a denial service kind of thing going there. But how is that how responsive and willing to cooperate? Are they or do they do they push back and say, oh, you don't you don't have the right customer support levels for us to know to be involved in helping you through an incident?

Nadia Fahim-Koster: [00:20:00] I think there's there's a little bit of a gap right now. And it's lacking in the Nuance example. I think where things got even a little bit worse is I don't think your organization was as proactive as it could have been with communicating with their clients. Right. And so I think eventually they start having more proactive communications. But, you know, the way I look at it as an organization, you simply cannot just rely on a contract you have with a vendor and rest easy.

Nadia Fahim-Koster: [00:20:29] Like just for example, all organizations have business associate agreements in place and saying, well, I have a B.A. and it is signed. So security's their bailiwick. I don't have to worry about it. That's simply not true. It's the same when it comes to incident responses. You know, you're relying on the third party to provide a huge portion of your services. You better test that with them. That's also the opportunity while you're testing. For them to make sure that whatever contractual documentation you have in place is reviewed, what level of service that they have, they can provide you with, because if in case of an incident, you know, you're going to know, well, now that I'm testing with them, they tell me it's not the right level of service. Maybe I need to upgrade to that next level of service. And again, I think those are ones that should be able to get planned out. But again, Brian, as you know, you can't always anticipate every single issue that's going to happen.

Nadia Fahim-Koster: [00:21:22] But the more you do it, the more you anticipate, I think the better off you are. And you I have another anecdote back again to my former life as a CISO. I had a breach and I thought I was golden. I'm just going to call my cyber liability company at the time and turn it over to them and tell them, you know, OK, here's here's the problem. And I need to call that forensics company. That's part of a contract with you guys. Sure. We're here to help you. And it was right before Thanksgiving. But you guys don't have an actual contract with that forensics firm being what? Wait a minute. I have a contract with you. My cybersecurity security cyber liability vendor. You never mentioned during the contract negotiation that I had to have a separate contract in place with every sub vendor you put down on the contracts.

Nadia Fahim-Koster: [00:22:14] And the answer was no. Yeah, you do. So here I am negotiating with that subcontractor in the middle of the 60 day threshold with Thanksgiving and Christmas in the mix. It was it was quite fun.

Brian Selfridge: [00:22:30] Well, speaking of things that you can't anticipate, let's talk about the year 2020. How has the introduction of Covid to the health care ecosystem, to the remote work environment executives or home I.T. people or home? How is that changed? Health care, incident response processes or thought processes, do they largely still work or are there tweaks and tunes that need to be made just to reflect the new the new World Order?

Nadia Fahim-Koster: [00:22:58] You know, I think there are tweaks that need to be made. And we've been in this pandemic. I hate to put it this way. It seems to me like we've been doing this for the last 20 years now, and it's already been six months. I think we're five months to this country. And so we we have not done a too many of these tabletop exercise during the pandemic yet. But I can speak a little bit from some that we've done recently where adding kind of that remote worker factor in the table top was was quite interesting. And it brought to light a few other issues. Right. So if you don't have a very good handle on how to contact your workforce when they're working remotely, it's one thing if you're missing one or two people, but when you have a third or half of your organization or in some cases the entire organization at home and you don't know how to reach them, you know, off network mechanism, then you could be in a heap of trouble. Because now, you know, if your Internet is down or if their laptops are locked down, they don't have a mechanism to to work. They don't necessarily know who to call because they never had to call the helpdesk from their home because they're always in the office. Those are some issues that need to be considered. I can tell you, it's it was pretty wild conducting a tabletop exercise, water, remote. It worked well, but it kind of added a different layer of complexity there. But it was fun.

Brian Selfridge: [00:24:26] I had an opportunity to join a couple of those that you're mentioning as well. I found it fascinating that you get the executive leadership team together. And now that you have the ability to have a video as well as a chat function on some of these video conferencing. And you can get a lot of dialogue and incident response communication going on at the front of the front of the house and on the video. And then you've got this whole sub chatter going on underneath where you really starting to figure out things. I thought that was really a neat way of in a virtual environment where you had to get the the incident command team together to have something like that, where you're able to have the same conversations that you need to think pretty cool.

Nadia Fahim-Koster: [00:25:02] And and I think one one layer of complexity when you're dealing in these cases, the remote workers. But you can't dissociate that from the fact that it says there is a pandemic going on right now. And a lot of organizations are very vulnerable to phishing attempts and ransomware attacks and all that. And in this particular scenario, we had the organization had to make the decision to divert patients. And I suspected that was a real life scenario that probably would have had to do that. And my mind can't help but go towards some of the areas right now in the country who are really struggling with bed space and ICU space and all that. How do you start diverting patients to hospitals that are already overwhelmed with Covid patients? And so it's truly a nightmare. I would never want to have to deal with in a real life scenario, but. Quite frankly, it is a scenario that absolutely should be considered by every health care organization out there right now.

Brian Selfridge: [00:26:00] You mentioned documentation earlier as being one of the bigger gaps for programs. When you look at the incident response plans and procedures and supporting documentation out there, what what are some of the characteristics of some of the better documented incident response programs that you've seen? What do they look like and what are some things that they have in place and are able to pull up and are most useful for them in the real world situations?

Nadia Fahim-Koster: [00:26:24] The ones that are really, really, really good tend to be the ones that they have everything in.

Nadia Fahim-Koster: [00:26:32] It's a one stop shop, right? And even if it's by means of links that you can click in that document, that opens something else up. But essentially, I don't have to go through, you know, 10 different software applications, whatever. I don't have to have to go through a of stack desk app. I don't have to go through SharePoint. I don't have to go here. It's all in one major plan. These documents also tend to outline very crystal and played the roles and responsibilities of different teams within the organization. And the linkage between those teams is very clear. And you know exactly who's doing what, why they have these different teams and who's the liaison between those teams. I've seen some where they even have what they call job aides. And it's really more of the specifics, almost like playbooks run books. How do we handle it? Ransomware incident, how do we handle a phishing attack? How do we handle different things? And at least it gives kind of a step by step or least an idea of pick it up and be able to to kind of run through it and are planning everything from communication with with the media, with the law enforcement, with the public, just everything. In one place. However, I have to say is I've also I've seen some really, really nice documents, but a tabletop exercise in some cases would not go very well. And that's when you realize they have a beautiful plan that was really never tested. The good news, it was tested that day. In some cases. You were tested multiple times after that. And every time it got better and better and better, organization was good practice, they started getting it. I've seen also some very poorly constructed incident response plans, but somehow the team would really pull it off and do a really nice job through the tabletop exercise. So they can be sometimes a disconnect between a document and how it's run. But I'm still going to stick to you really should have a good, solid documentation, at least as the starting point.

Brian Selfridge: [00:28:40] So we identified the good plans and we identified there are some bad plans out there not to pick on them. But what are some characteristics of the bad plans? What do they look like? Are they they're one page and you know, what is what are some aspects? So folks can go and look at their own plan and figure out what kind of the spectrum they're on.

Nadia Fahim-Koster: [00:28:59] So small organizations and usually those are the ones that tend to have small security teams and small funding. Unfortunately, sometimes with small organizations tend to have heaps and heaps of heaps of systems, for example. So if they were to get hit by ransomware now, they may not be diverting patients, but they may have to notify a heck of a lot of people. So the smaller organizations tend to have to point the one or two pager incident response plan, which really reads more like a policy and policies that you shall have an incident response plan and you have a in here, the people that's that's about as basic as I've seen. I've seen some where there is a lot more meat to the bone, so to speak, with a security incident response policy.

Nadia Fahim-Koster: [00:29:47] There's a sort of incident response procedure. But even by putting them two together side by side going, OK, so now what? What happens next? Who handles communication? How often is the plan tested? How fast do you respond? You have your criticality identify, you know, between the different thresholds. So those are kind of the different categories of bad. These are response plans.

Brian Selfridge: [00:30:15] I watched this thing recently where there was an astronaut talking about how do they deal with incident response and unplanned situations. She's like, well, we we plan for everything and we test it and we simulate it over and over and over again. It's like so a lot of the things that we run into in space are things that, yes, we have uncertainty, but we've we've thought about every possible permutation and we've trained for it. I think that's a discipline that we not that we have to be NASA quite have the budgets for that, but sort of get real realized that the best way to deal with a difficult situation is just to prep and test and get some cycles through it.

Nadia Fahim-Koster: [00:30:51] It is. And I think. What was been really and that's part of why I really love these these type of engagements, there are a lot of fun and I always tell my audience my requirements. And if I could have a requirement of the client who engaged me, of course, as you guys have got to have a great sense of humor to go through this. Right. And I think you really get through it when you can really take a hard look at yourselves, look at your plan and acknowledge where you have gaps and where things need to be shored up because you're better dealing with it here, disabled and doing a real life event.

Nadia Fahim-Koster: [00:31:21] But it's it's kind of been nice every time we're done where we hear the one thing we always hear is, oh, my gosh, this was this this scenario was too real, which is great. I don't think there's a compliment in the story of that. They really felt they could really go through this. This could really happen to them.

Brian Selfridge: [00:31:40] I want to pick back up on a comment you made about the cyber liability providers are bringing in the forensics firms and bringing in the FBI and and all these sort of external third parties who are some of the must have relationships that you have. You should have lined up before even the table tops before the incidents, not just from a contractual standpoint, but having knowing who to reach out to.

Brian Selfridge: [00:32:01] And what are some of those entities that you recommend organizations get up front and building relationships and contracts and everything else for sure.

Nadia Fahim-Koster: [00:32:08] So starting at a very high level, definitely your cyber liability insurance vendor, provided you have one. I think at this point I'm making the assumption that if you're in the business of health care, at least you would have a cyber liability insurance vendor. So having a relationship with them and actually having different meetings with them and ones we talked already understanding how they would support you during the incident and what are the different services that they have because they also have different plans. And whether you need to have subcontracts with those providers, the FBI or whatever state by you're in luck, GBI and the state of Georgia, that I mean, having a good relationship with them is a good thing, because oftentimes when you're going through a ransomware event and you talk to them, you'll find that this is something that they've seen already happened at other organizations. And it can definitely provide feedback and input, especially if you get to the point where you need to start negotiating with the people holding your information. And so it's it's again, it's a great relationship to have having named relationship with those people as much as you can is is key and understanding within your own organization. Who's that person is going to be liaising with that third party individual? Those those are huge ones, definitely understanding within your organization who is in charge of media relations. Again, those rules tend to be really, really well defined, Brian, with health care providers, the big systems, but also the payers, it becomes less the less defined with the very small business associates, for example, where you tend to have one person that would wear all those different hats or an incident. And so it may be good for them to educate themselves, you know, when they have a solid plan being able to go, you know.

Nadia Fahim-Koster: [00:34:06] So if I'm if I'm covering communication, I'm covering this. I'm covering that. Do I know what I'm doing when I'm going live? And this is what having that playbook or the step by step becomes even more important, because if you get thrown in front of the media, you better be prepared. And maybe this is where you decide to have a PR firm. I'll stand by or legal firm on stand by somebody to work with. So those are things to me, the most obvious places that you want to have relationships. Some of the other less obvious, again, will be for maybe less sophisticated organizations that may not have very robust security programs. But often times you may need to do some forensics in your systems to figure out what may have been disclosed or accessed from the outside world. And I know some of the organizations I've worked for, we had very competent people, but we didn't allow anybody to perform any forensics or systems. We were going to bring in the professionals, but they're very, very expensive. But you really have to have somebody lined up. And I found that to be great because once after that one event where I realized I didn't really have a forensics firm, I end up calling one of the big fours that we happen to have had a contract with to come help us.

Nadia Fahim-Koster: [00:35:17] They kind of became my go to person just because I had that relationship and I had that comfort level. But it's very important to understand who's going to be handling some of your most technical pieces of an investigation that you may not have the capability to do in-house.

Brian Selfridge: [00:35:32] When is the right time to engage, particularly the FBI and the State Bureau of Investigation is what's the escalation path look like? They're like, do you go to the state first and then see what happens and then go the FBI? Like, when is that inflection point? I know they can't answer for every situation, but in general, is it earlier in the process when you're discovering the situation? Or is it later when you really have to make big decisions, like do we pay the rent somewhere or not?

Nadia Fahim-Koster: [00:35:57] That's a good question. And I don't know that I have the expert answer, because every organization is going to be different in some organizations like to involve their legal teams very early on. And I've seen blood on that table with between the conversations of legal risk management and then what are called the most pragmatic people on the team not to take on risk management and legal.

Nadia Fahim-Koster: [00:36:25] They're doing their job right. That's what they have to be at the table. So legal is going to be will, you know, are we planning on paying the ransom? And if the answer is no, then why are we going to call the law enforcement? Shouldn't we wait a little bit longer? The risk management would go, well, maybe we should stop talking to them and understanding what our options are in case we have, you know, why wait? And so you kind of keep hearing those conversations and that's part of what ends up starting the issue during a real life incident. And you better be prepared beforehand. But generally, again, you know, if it were up to me as a former CISO, I don't know that I would necessarily involve them right from as soon as I know there is some more incident, I kind of would want to give it just a little bit for me to have all the data points.

Nadia Fahim-Koster: [00:37:09] And if I realize, you know, this is not something we're going to be able to stop at this point, it's this this issue is locking up my systems. It's starting to impact a business. It's time to pack patience once, once I know it's going to start impacting patients. And now I have patients lives at stake. Definitely. That is that should be the catalyst for let's let's talk to the FBI. I think I would start with state and then get guidance from them to go above if needed. And they do provide that guidance. So there's kind of a I hate to say this is a bit of a gray area.

Brian Selfridge: [00:37:48] So we've talked about sort of the overall plan. And I have to imagine that there are certain incidents like ransomware where we picked on that a lot today, will pick on it somewhere where you really need a playbook that's specific to that type of incident, whether it's ransomware or malware versus a hacker or motivated third party, persistent threat might be a little bit of a different playbook. What are some of the types of incident or incident types that you think organization really have a specific playbook for this type of incident? And is that just a handful of incidents or is it like do you really need one for every kind of foreseeable thing that's going to hit your radar?

Nadia Fahim-Koster: [00:38:30] There was some organizations that, you know, specially back in the day, they had different playbooks for, you know, a bad actor within the organization since, you know, a whole bunch of files to the outside world, maybe they're selling data. How do you handle it to there's kind of a virus spreading. That's not not necessarily why somewhere just a virus instance and how how do you handle it? So to me, you kind of want to have a playbook for anything that's going to spread like wildfire, because to me, those are the more complex, because generally anything that spreads like that.

Nadia Fahim-Koster: [00:39:10] So if it's ransomware, then you have the added headache of having to figure out that whole breach notification piece. Right. And then if it's just a virus spreading while then shutting down your systems, you have some of the commonalities there. How do you keep the business functioning? You maintain you have that whole integrity and availability of data that needs to be discussed. But I think more and more organization need to start paying attention to what happens to the medical devices world. Right. That's still a very I don't want to say and regulated. It is regulated, but it's just it's almost it's it's still the Wild West for a lot of organizations. Right.

Nadia Fahim-Koster: [00:39:54] They don't have their arms around that world. They're starting to. But it's it's still a huge vulnerability point for them. And unfortunately, you have some of those medical devices that are really directly touching a patient life at the other end of it. And I'm not convinced that organizations really have a thorough response plans when it comes to those type of devices.

Brian Selfridge: [00:40:20] So the last thing I want to ask you about here is we're talking we're talk about ransomware a couple of times. I just want to zero in on that to close things out. With respect to the decision to pay the ransom, it seems like, at least publicly, more and more organizations are choosing to pay. What do you think are some of the decision points, as you've done these simulations, that that would leave an organization to sort of flip over to say, OK, we're going to have to pay? What are some of the factors that lead into that decision that you've seen?

Nadia Fahim-Koster: [00:40:51] I've seen some organizations who decided they wanted to pay very early on, like at the end of day one, where personally I was a little surprised because I wasn't sure they really were at that point. But they from hearing, I guess, their their CEO and CIO talked and any seasoned professional security would know if you have ransomware incident, the likelihood of it spreading quickly is pretty high. And so especially in a health care setting provider setting, they thought, yeah, we think this is going to be problem.

Nadia Fahim-Koster: [00:41:29] And so they said, well, let's go ahead and pay now. Right. And then, of course, the question is it's still cheap right now. You know, it's I don't know about a thousand bitcoins or whatever. If we wait another day or two, the price is probably going to go up. Do we want to wait that long? And of course, then the whole question was, how do we even pay somebody bitcoins? Right. And so that's part to talking about contacting the FBI, but also your cyber liability, even though it turns out they are quite knowledgeable on how to handle the whole Bitcoin conversation. That was that was kind of huge eye opener for me. But generally, we find that organizations start tilting towards we've got to pay when they realize their systems are getting crippled. It will take them days, if not weeks to recover. Again, this is when they start hearing from the I.T. management going, you know, it's going to take us a long time. And the longer we wait, the more we get crippled. We're not going to be able to fix this quite yet. We need to get out of it. One of the things, though, that organizations also have to realize is by paying you not necessarily guaranteed that you're going to get the key to unlock everything. I'm not sure there is any evidence out there that says the greatest majority of the time you don't. I think you indicated even I think the key gets released generally. However, the bigger issue is just because you now have the key to decrypt your data doesn't mean you can just push a button and poof, you're back to resuming operations. It will still take you days and weeks to recover because, you know, there's a bandwidth issue of resources being able to touch every machine, every server, being able to figure out the integrity of the data. And then, of course, during the few days where you could not enter any data and your systems, then you have to go to backlog of paper and do a lot of reconciliation. So it's kind of almost like a never ending nightmare.

Brian Selfridge: [00:43:20] I've lived through sneaker net patching of many systems for malware that before, it's not fun. And unfortunately, the bad guys don't haven't given us some centralized deployable software yet. Hopefully they're working on that in their next iterations of of malware. I'm just kidding. Of course. Well, not really. Any other final parting thoughts for us. We've covered a lot of ground and there's there's going to be more incidents. It's going to be more as this is going to evolve. And any other recommendations or thoughts you have for folks as they look to plan for the rest of the year ahead and going forward?

Nadia Fahim-Koster: [00:43:54] Yeah. So just kind of a quick reminder, some organizations sometimes need to be pushed from a regulatory perspective to do this. You know, it's a great sound business reason.

Nadia Fahim-Koster: [00:44:04] It's compelling you if you're running a business, if you're taking care of patients, you really should be you should test your response capabilities.

Nadia Fahim-Koster: [00:44:14] The HIPAA regulation also does require you to test your capabilities and so do it. It's a good thing even if you start small at the I.T. Security Department level, start with a small scenario. You walk through it, see how you do it, then broaden the scope of that scenario, make it more complicated involving other areas, involving the clinical areas. The executive team start somewhere and grow from there and hopefully learn from it.

Brian Selfridge: [00:44:41] Excellent. Well, we've covered a lot of ground and I wish we had more time, but you've got more incidents to put out and fires to deal with and helping these organizations protect themselves. So I want to thank you so much for taking the time to be here with us today. We really appreciate your insights.

Nadia Fahim-Koster: [00:44:55] Thank you for having me. I had a great time. Thank you.

Brian Selfridge: [00:45:06] Again, I would like to thank my guest, Nadia Fahim-Koster for great discussion about incident response trends and leading practices for health care entities. As always, we'd like to have your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is CyberPHIx@meditologyservices.com. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for the next session coming up soon.