Keeping Incident Response Plans CurrentMark Dill, former CISO at Cleveland Clinic, Shares Best Practices
Many healthcare organizations are falling short in their incident response plans, says Mark Dill, principal consultant at tw-Security. The former director of information security at the Cleveland Clinic discusses best practices for keeping those programs current.
"I'm still not seeing a lot of [incident response] playbooks in cyberspace where you have previously thought out how you analyze and report the incident," he says in an interview with Information Security Media Group at the HIMSS19 conference in Orlando. "It's lacking a structured workflow and a set of instructions at the detailed level on how to handle a particular cyber event - whether it's any kind of a hack, or malware, ransomware or a phishing attack. ..."
In the meantime, although more healthcare entities are embracing technologies such as security incident and event management systems, or SIEMs, many are hitting roadblocks with those tools, he notes.
"Even when that tool is fully optimized, a large organization could see hundreds of events that they might have to look at in the course of a day - and no one has a staff size large enough. So, you need the next level of process and tool," he says. "User behavior and device analytics adds great value. It adds an evidence-based approach to the ... events the team should be looking at."
In the interview (see audio link below photo), also discusses:
- The need to make changes to incident response plans to reflect changes in laws, such as the California Consumer Privacy Act and other states' efforts to bolster privacy and breach notification regulations;
- How to update security risk management programs to reflect the changing cyberthreat landscape;
- Best practices for updating incident response plans and playbooks.
Dill is a partner and principal consultant at tw-Security. Before joining tw-Security, he was director of information security for the Cleveland Clinic, responsible for the deployment of information security and disaster recovery best practices.