Sentinel Event Alert and State of External Exposure Management

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

The Joint Commission has published a Sentinel Event Alert offering guidance on keeping patient safety after a cyberattack. There has been an increase in sophisticated healthcare cyberattacks. The question is not if a healthcare provider will be attacked but when.

Cyberattacks could result in a substantial interruption to healthcare treatments and put patient care in jeopardy, therefore it is important that healthcare providers do all they can to avoid cyberattacks, for example reducing the attack surface, updating the software program and patching immediately, giving employees training on phishing awareness, and using a variety of cybersecurity options. Healthcare institutions should also prepare for the worst that could happen and should think about the possibility of breached defenses. They should consequently have a proven incident response program that could be set off quickly in case of a cyberattack.

In the event of a breach in defenses and unauthorized access to internal systems, much of the recovery procedure will be taken care of by the IT team; nevertheless, all hospital workers should be ready to work in such an urgent situation and should be part of the incident response preparation process. It should start with the hazard vulnerability analysis (HVA), which is mandated by the Joint Commission. The HVA should include human-associated risks, including cyberattacks. The HVA assists hospitals in determining and applying mitigation and readiness actions to lessen the interruption of services and operations and ensure patient safety in case of a cyberattack. The Joint Commission likewise calls for a continuity of operations strategy, disaster recovery program, emergency management coaching, and training program, and these should be assessed yearly.

The Sentinel Event Alert gives tips about these processes particular to cyberattacks:

  • Assess HVA results and make hospital services that should stay operational and safe a priority while in prolonged downtime.
  • Create a downtime planning group to formulate readiness measures and mitigations. The planning group must have representation from every stakeholder.
  • Create downtime programs, procedures, and solutions and make sure they are updated on a regular basis.
  • Select response teams – An interdisciplinary group must be made that could be mobilized after a cyberattack.
  • Educate group leaders, teams, and all employees on operating processes in downtime. Establish drills and things to do to make sure employees know about downtime resources.
  • Develop situational awareness with efficient verbal exchanges all throughout the company and with patients and households.
  • Right after a cyberattack, recollect, assess, and make needed enhancements to the incident response program and boost protections for systems to deal with the particular problems that made it possible for the attack to be successful.

The Joint Commission’s executive vice president for healthcare quality evaluation and improvement, David W. Baker, MD, MPH, FACP, stated that cyberattacks bring about various treatment disruptions resulting in patient harm and serious financial consequences. Doing something now will help healthcare organizations be ready to provide secure patient care in case of cyberattacks. The suggestions in the Sentinel Event Alert, along with The Joint Commission’s demands on creating and carrying out a continuity of operations program, disaster recovery strategy and more, could help healthcare companies successfully address a cyber emergency.

Study Shows State of External Exposure Management

The most recent State of External Exposure Management Report by CyCognito highlights the magnitude to which vulnerabilities impact companies and how simple it is for cybercriminals to take advantage of those vulnerabilities.

CyCognito’s researchers collected and examined 3.5 million digital assets throughout its consumer base from June 2022 to May 2023, including small, medium, and large corporations, not to mention Fortune 500 companies.

The study discovered that 70% of internet apps had serious security gaps, like inadequate web application firewall (WAF) defense and not utilizing encrypted connections like HTTPS, with 25% of internet apps missing both protections. A typical business has over 12,000 web applications including SaaS applications, APIs, servers, and databases. The researchers discovered a minimum of 30% of those web applications have over 3,000 assets and have one or more exploitable or high-risk vulnerabilities.

Personally identifiable information (PII) is at risk according to the study. 74% of assets that contain PII were discovered to be compromised to one main exploit, and 10% of assets got a minimum of one quickly exploitable problem. Although critical severity vulnerabilities are a big concern, for every quickly exploitable critical vulnerability determined, there were 133 quickly exploitable low, medium, or high severity problems.

As CyCognito points out in the report, there is a constant change in the attack surface and its research indicates the attack surface varies by around 10% every month. That means that in a year, countless new assets could have been included in the system and one of those assets may have an exploitable vulnerability. Since the attack surface is active, companies cannot do mapping just one time because the map produced will have no data pretty much right away. There is a balance to be arranged, therefore a lot of companies have a biannual or quarterly mapping schedule, though such occasional mapping could cause significant gaps in recognition and coverage. To remain cognizant of risks the moment they turn up, utilize regular mapping and checking of all resources to keep an updated, complete knowledge of your exterior attack surface.

Focus must be paid to web applications, which usually account for about 22% of the attack surface. They’re simple to deploy, give access to important information, connect companies with workers and clients, and could have many elements, each one of which could be impacted by security problems. Companies must make sure that web applications are correctly secured with WAF and encrypted connections, particularly those that offer access to PII or online platforms.

Dealing with safety problems is a constant process. It is necessary to make sure that the most critical problems are prioritized and resolved first. CyCognito suggests utilizing context regarding impacted assets and threat actor activity to determine the most critical threats to prioritize and not to depend on CVSS scores, because there might be more risk from less serious vulnerabilities that threat actors could quickly take advantage of.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.