Enabling Security First Responders: The Golden Hour in Healthcare Cybersecurity

Time. It is never too much to state that time is the most precious resource we have. It is given to us in a limited amount, and it is up to us to spend it as wisely as we can. Never does time seem more precious, or pressing, than when we are in the midst of an emergency. The term “Golden Hour” came about through the medical field a long time ago, and it applies to the belief that certain treatments administered in the first hour after a heart attack or stroke significantly improve patient outcomes. 

It is also not hyperbole to state that in the world of cybersecurity, healthcare holds a special distinction. Cyber attacks, and damage to infrastructure is always a significant issue, but the damage that can occur from a cyber attack in healthcare isn’t limited to personal information, or medical secrets. “Real world” damage does occur in these events, they can impact or even take people’s lives. 

So in the same way that time is critical in acute medical situations in order to minimize impact and maximize patient recovery, time is at the heart of minimizing the impact of cyber events. While not shocking in and of itself, there does seem to be a significant gap in cybersecurity response that misses the lesson of the medical golden hour in many instances. The faster that a successful cyber attack in healthcare can be detected, contained, and impact minimized, the impact to patients can be minimized or even eliminated.

Having a Bad Day

Same as in healthcare, in the cyber world we don’t really want to have a bad day. We don’t want to get ill, we don’t want to have that emergency room visit, and we don’t want that ransomware attack to successfully land and start to deploy in our environments. We just don’t. But, unfortunately it is probably going to happen. At some point in our lives, and our careers we are going to have a bad day. 

Taking this point is important, as things need to be considered again against the measure of time. Diagnoses in emergency rooms can sometimes be easy, sometimes not so much. Specialists and dedicated tools are sometimes required to get to the root of a problem so that a recovery can be enacted. Same in cybersecurity. Initial diagnosis may occur from overnight analyst, or it may from a high confidence security tool. But we know that diagnosis of a problem may not be the root cause of the problem. 

An example of a high confidence alert could be an alert from an endpoint detection tool that a malicious process has been identified and blocked. However it did not detect the remote code execution (REC) attack that preceded the blocked dropper activity. The system alerted and responded to stop the dropper, but the actor is still resident, and now they have information about the types of detection in place. We could consider this a little “i” or a potential incident. An adversary is in place but has not yet been able to cause measurable damage. But time is still clicking along.

The Golden Hour

Here, though, is where there’s often a divergence between the response and recovery processes between healthcare and cybersecurity – in healthcare this period of time is critical for initial treatments. 

However, many cybersecurity teams seem to have a disconnect here. Their MSSP or their own SOC may notice and diagnose an incident; however, if the adversary takes another step and unleashes a more successful attack that could be determined as a big “I” incident very little occurs between the diagnosis of the new problem and alarm bell of the involvement of the DFIR team. 

Unfortunately, that DFIR team may take hours or even days to get involved – depending on a variety of factors, including whether or not a DFIR retainer exists, and what the SLA for that retainer is. This is time that these programs cannot get back, and as IBM points out in their “Cost of a Data Breach Report 2023,” a quality incident response plan can cause a 34% swing in the cost of a data breach. More explicitly, this delay can contribute to the need for healthcare providers to close themselves to new admissions, and can interrupt care to current patients, not just during that golden hour period, but this can impact the total amount of time that passes before the incident is controlled and mitigated well enough to continue offering full care to patients.

The Cybersecurity Approach To the Golden Hour

Clearly, then, there’s work to be done. Deepwatch assists our customers through this golden hour with a process we refer to as “zero to retainer.” An incident commander is assigned who immediately opens a war-room virtual meeting for collaboration and communications. During this crucial period we work directly with our customers to:

• Coordinate immediate mitigation and containment activities
• Continue analysis with additional high-tier security operations resources
• Organize evidence that the DFIR team will likely utilize
• Prepare for the DFIR team’s engagement and provide a smooth, efficient handoff

The incident commander is a veteran of cyber incidents who guides our impacted customers through these difficult situations, providing hard-won expertise, and insights generated from our many years of service.

You don’t have to be a Deepwatch customer to manage your own healthcare cybersecurity golden hour process, but you will want to be sure your incident response plans are thorough and well practiced. And you will want to ensure that if you are relying on your MSSP or MDR company to help lead you through this golden hour, be sure to validate that they offer such support.

Embrace the Golden Hour in Cybersecurity

The concept of the “golden hour” serves as a powerful reminder that rapid intervention is critical in cybersecurity. Attacks are becoming more common, costly, and complex. Often, the speed of response to a damaging cyber incident is key to reducing the damage. Letting this hour slip away has serious consequences for your security program and the patients your program serves.

↑