The document outlines Kevin Mitnick Memorial Hospital's Incident Response Plan with 4 phases: 1) Preparation establishes roles for a Computer Security Incident Response Team and employee training. 2) Detection details identifying and analyzing incidents through automated/manual scans and employee reports. 3) Response includes preserving evidence, containing/removing threats, and recovering from incidents. 4) Post-incident activities are conducting an after action report and notifying authorities/public of critical breaches. The plan provides guidance for different incident severity levels and protecting patient health information.

1. Kevin Mitnick Memorial Hospital’s
Incident Response Plan
Matthew J McMahon
Cybersecurity in Healthcare Administration
Salve Regina University
February 23, 2017

2. 2
Contents
Introduction…………………………………………………………………………………..........3
Overview of the Incident Response Plan…………………………………………………….........3
CHAPTER ONE. Preparation…………………..…………………………………………............4
Develop a CSIRT……………..………………………………………………….…...........4
Conduct Employee Training……………..…..………………………………….…...........5
Use Best Practices………...…..………………………………………………….….........6
CHAPTER TWO. Detection………….……………………………………………………...........6
Identify the Incident………………..…………...…………………………………............6
Analyze the Incident………….……………..…..…………………………………............7
CHAPTER THREE. Response…………………..……...…………………………………...........8
Preserve the Evidence………………....……………………………………………..........8
Contain the Incident……….……….………..…..…………………………………...........8
Remove the Threat…….....…..……..………………………………………………..........8
Recover From the Incident………...………………………………………………............8
CHAPTER FOUR. Post-Incident Activity...…..……………….…………………………............9
Conduct an After Action Report………….……...……………...……………………........9
Report the Incident..…………..……………..…..…………………………………...........9
Conclusion………………………………………………………………………………………...9
Revision History…………………………………………………………………………………10
Appendix 1………………...………………………………………………………….................11
KMMHS Third Party Risk Assessment Form…………………………………………….11
Appendix 2………………...…………………………………………………………..................14
Blank Manufacturers Disclosure Statement for Medical Device Security Form..............14
Bibliography……………………………………………………………………………………..15

3. 3
Introduction
The Kevin Mitnick Memorial Hospital located at 1492 Exploit Lane in Calabasas,
California is a small twenty five bed critical access hospital. The facility has a twenty four hour
emergency department and a lab that operates between the hours of 8:00 AM and 8:00 PM PST
Monday through Friday.
The facility utilizes MEDITECH version 5.6.7 as its electronic medical records system
(EMR.) It also utilizes a Sunquest laboratory informatics system (LIS) in the lab that passes
results to MEDITECH. The hospital employs a plethora of other medical devices including, but
not limited to; Point of Care (POC) blood gas, urinalysis and glucose analyzers from various
vendors that all send results to their Sunquest system via a Data Innovations interface engine.
In today’s day and age, cyber-attacks on hospitals are becoming more and more
prevalent. It is no longer if a hospital will be attacked but when. In an environment where a
medical record sells for ten times on the dark web what a credit card record does it is imperative
that this medical facility create and implement a Computer Security Incident Response Team
(CSIRT) to manage and oversee this facilities Incident Response Plan (IRP) and assure the
protection of our customers Protected Health Information (PHI.)
Overview of the Incident Response Plan
The purpose of the Kevin Mitnick Memorial Hospital’s Incident Response Plan is to
provide clear, concise instructions to each member of the hospital staff and business partners in
response to an incident. The structure of this report utilizes the standard four phase incident
response model of Preparation, Detection, Response and Post-Incident Activity. The first phase,
Preparation focuses on establishing clear areas of responsibility for various hospital staff should
an incident occur. The second phase, detection details how the hospital’s IT staff should stay
vigilant against cyber threats. This includes what should be done should IT become aware of a
potential threat as well as processes to be implemented for threat analysis.
The third phase, Response details how the organization should respond to an identified
incident which includes; the preservation of evidence, containment of a potential exploit,
removal of the threat from the system and recovery after the threat is contained. The fourth and
final phase, Post-Incident Activity details the actions to be taken after the incident has been
mitigated including an after action report and any incident reporting.

4. 4
CHAPTER ONE.
Preparation
Develop a CSIRT
A Computer Security Incident Response Team (CSIRT) is a cross disciplinary team
created to bring in key personnel that will be needed to respond to an incident. The response
team includes several members from the IT department including a system administrator,
members from the database, network and security teams as well as representation form legal,
HR, public relations teams and the executive suite.
The database team is responsible to assure that the sites various SQL databases are
regularly updated with security patches and secured against SQL injection exploits, a common
healthcare threat vector. The network team is responsible for assuring that the hospitals various
networks are properly cordoned off, utilizing firewalls and separate virtual local area networks
(VLAN’s) and network partitions where applicable. In addition their responsibilities include
regularly updating and properly implementing antivirus and antimalware software as well as port
management which includes blocking unused ports and managing the facilities dynamic host
configuration protocol (DHCP) network addressing structure.
The IT security team is responsible for working in conjunction with the networking team
to develop an all-encompassing security posture that is robust but not so secure that it affects the
free flow of data across the hospitals networks. Their main role is education, specifically
developing and training all hospital staff on good cyber and physical security habits.
The legal department plays an important but often overlooked role in the development of
the hospitals security posture. It is their responsibility to review and craft the third party vendor
interface agreements that detail where the hospitals responsibility ends and a third parties begins
when it comes to the hospitals various software and hardware interfaces that move data around
its networks.
HR’s biggest role in security is properly screening the hiring of new candidates,
especially those that will maintain high levels of security clearance such as system
administrators. They also play an essential role in assuring that all employees’ security trainings
and documentation are up to date. Another responsibility of the HR department is to assure that
access to all hospital systems is immediately revoked upon an employee’s termination of
employment.
The public relations team is responsible for communicating with the public and/or news
media outlets should a breach occur. Per section 13402(e)(4) of the Health Information
Technology for Economic and Clinical Health Act (HITECH,) in the case of a breach of more
than 500 the public must be made aware via the news media.

5. 5
The executive suite is a key player in the facilities cyber defense structure. They are
often a high value target specifically sought out by advanced persistent threats (APT’s.) They
will undergo a higher level of security training than any other employee as they are not only the
most targeted but also the primary decision makers in driving the organizations response to a
threat.
It is imperative to have representation from each of the hospitals internal third party
vendor support staff on the team as they are the ones with key access and product knowledge that
will need to be leveraged if an attack targets and compromises their application. Their input will
be essential in helping IT and the executive suite craft an appropriate response to a threat. This
includes key support staff from each of the various medical software applications on site
including MEDITECH, Sunquest, Data Innovations and the Siemens Healthineers, Point of Care
(POC) Rapidcomm software application. The applications support staff has access to these third
party vendors via 24 hour phone and onsite support should that need to be activated.
The team also includes contacts from key business partners that the organizations works
with that regularly attend the group’s biweekly meetings as often an exploit is brought in by a
third party vulnerability. Business partners include but are not limited to West Coast Recycling,
data destruction company, Dell onsite desktop support, North Star Janitorial Services as well as
Hiram’s cafeteria services. Business partners should not be overlooked in a hospital’s IRP as all
of the above listed services have some level of potential access to protected data, be it on a
decommissioned hard drive, paper record or even the dietary status board posted in the cafeteria
that list allergies and dietary restrictions of patients.
The involvement of third party vendors is essential to the facilities greater cyber defense
strategy. For each third party interface a vendor interface form shall be completed by the vendor
prior to connecting and submitted to the IT security team, see Appendix 1. The IT security team
will then conduct a threat assessment to determine the risk associated with connecting one of the
hospitals systems to the third party vendor. The interfacing products Manufacturer Disclosure
Statement for Medical Device Security (MDS2) form and any other supporting documentation
should be requested, kept on file and regularly updated by the vendor, see Appendix 2.
The roles spelt out in this section of the report are far from all encompassing. They are
meant to give all hospital staff a general idea of the roles and responsibilities of the various
members of the CSIRT team. More in depth, user specific roles are addressed in role specific
trainings. These roles and responsibilities are fluid and dynamic, constantly changing and
adapting to address the ever changing cyber threat landscape.

6. 6
Conduct Employee Training
All hospital staff are required to take a two hour security training within fourteen days of
their hire date and additionally complete a one hour refresher training every six months. The
training program, created by the hospital’s IT security team covers general physical and cyber
security concepts such as how to create a strong password, reporting suspicious emails and not
holding the door open for other hospital staff entering the hospital.
In addition to this general training certain key members of the hospital staff take
additional trainings provided by the SANS institute and facilitated by the IT security team.
These include members of the executive suite that are often the target of phishing exploits,
hospital IT on secure network configuration and others respective to job role.
Use Best Practices
In addition to the specific roles already laid out in the “Develop a CSIRT,” section of this
report the following additional best practices should be observed by all hospital staff.
 Minimum length and complexity requirements for system passwords
 Regular system password expiration
 Encrypt all outbound and internal email that contains PHI data
 Assure all desktop PC’s lock screen after 5 minutes of inactivity is enabled
 No holding the door for other staff
The following best practices should be maintained by all hospital IT and informatics
staff.
 All laptops and mobile devices shall be encrypted
 All systems must be regularly backed up fully once a week with incremental
backups happening daily.
 All system patches must be implemented per vendor recommendations
 All systems should be pen tested annually
 All systems should be fuzz tested annually

7. 7
CHAPTER TWO
Detection
Identify the Incident
An incident is typically identified by one of the automated or manual security scans
regularly conducted on the hospital’s various systems. Automated scans include both antivirus
and antimalware that look for both black listed exploits and specific threat signatures that could
detect a zero day exploit. Both of these applications are configured to immediately quarantine a
threat should it be detected.
Manual network scans such as the regular monitoring of network traffic via Windows
logs or an application such as using Wireshark should be conducted on a weekly basis. Any
abnormal network activity such as spikes in data entering or leaving the network should be
reported immediately to the IT network and/or security teams.
In addition to IT every employee is responsible for being on the lookout for suspicious
activity and should report such activity immediately by dialing *511 on any hospital phone to be
immediately connected to the security office.
Analyze the Incident
Qualification of incident severity parallels the standards laid out by the Health Insurance
Portability and Accountability Act (HIPAA.) The three classifications are a direct reflection of
the number of patient records affected.
Category Number of Records Effected
Minor 0
Significant 1 – 499
Critical 500 +
Minor
Members of the IT Security team will monitor a potential threat that is either directly
reported by an employee or shows up via an automatic or manual system scan. The threat will
be investigated and quarantined. The IT Manager for that day will take the lead on this threat
and coordinate communication. The entire facility should be notified via email to increase
awareness and generate visibility of cyber threats.
Significant

8. 8
Members of the IT Security team will monitor a potential threat that is either directly
reported by an employee or shows up via an automatic or manual system scan. The threat will
be investigated and quarantined. All applicable forensic analysis will be handled by the IT
security team. Members of the executive and legal teams will be brought into the discussion to
examine the ramifications of patient record breeches. The IT Manager for that day will take the
lead on this threat and coordinate communication. The entire facility should be notified via
email to increase awareness and generate visibility of cyber threats.
Critical
Members of the IT Security team will monitor a potential threat that is either directly
reported by an employee or shows up via an automatic or manual system scan. The threat will
be investigated and quarantined. All applicable forensic analysis will be handled by the IT
security team. Members of the executive and legal teams will be brought into the discussion to
examine the ramifications of patient record breeches. The highest ranking available executive
team member will take the lead on this threat and coordinate communication. The PR
Department will take the lead on drafting and delivering appropriate public news briefs
regarding the situation as it develops. The entire facility should be notified via email to increase
awareness and generate visibility of cyber threats.
CHAPTER THREE
Response
Preserve the Evidence
Preserving the evidence begins with preparing the necessary tools to analyze an exploit
before it is reported. The IT department keeps two PC’s running Forensic Tool Kit (FTK) as
well as other forensic tools for the immediate forensic analysis of a potential threat.
Should you find suspicious activity on any hospital PC you should call the hospital
security line at *511 immediately and report it. DO NOT TURN OFF THE DEVICE IN
QUESTION as valuable forensic evidence could be lost by doing this. The IT Security team will
work to contain any threat detected as well as make an image of any infected device for later
forensic evidence that could be used in a legal case.
Contain the Incident
The IT department will be instrumental in containing the incident. The type of threat will
largely dictate containment measures. If proper network segmentation and other security
measures previously listed are in place the exploit should be relatively contained. After the

9. 9
required evidence is collected it is up to the IT department in conjunction with the application
support team for the effected system to devise a strategy for further containment. It may be
decided that the effected system should be taken offline but no decision should be made until at
least a brief initial forensic analysis is done to determine what type of threat the incident entails.
In many cases exploits are specifically crafted to be activated by an IT departments attempt to
contain and mitigate them. This should be a consideration.
Remove the Threat
Based on the initial forensic assessment of the threat again, the IT team in conjunction
with the application support team will devise and implement a strategy to fully remove the threat
from the system. This could entail wiping the drive and restoring a backup, deleting a firewall’s
quarantined files queue or any number of other measures specific to the threat encountered.
Recover From the Incident
The final step of the response phase is recovering from the incident. In most cases this
will involve restoring a clean backup of the effected system but it’s also possible that new
hardware may be need to be purchased if it cannot be assured that the exploit was successfully
mitigated. Again, this will be at the discretion of the IT department in conjunction with the
application support team for the effected system.
CHAPTER FOUR
Post-Incident Activity
Conduct an After Action Report (AAR)
After the incident is successfully mitigated the team should reconvene to discuss the
incident and the team’s response to it. It is important to note that not every cyber threat can be
foreseen and stopped. There is little that can be done about a zero-day exploit that sneaks past
the facilities threat monitoring systems and manual detection process. It should be reviewed and
discussed if such a threat was adequately quarantined by proper network segmentation.
A known exploit that was allowed into the hospitals network because a firewall was not
regularly updated or because a PC was running an outdated operating system is another story as
that was a fully preventable incident and should be discussed as such and remediated. The entire
facility should be notified about the breach and used as a learning opportunity.

10. 10
Report the Incident
Per HIPAA, a healthcare facility is legally required to notify the public via a media outlet
when a breach affects more than 500 individuals. The U.S. Department of Health and Human
Services (HHS) must also be notified in the event of a breach of 500 or more records. The legal
team is responsible for contacting and informing HHS while the PR is responsible for reporting
the breach to local media outlets.
Conclusion
With the cyber threat landscape what it is today it is less a question of if a healthcare
organization will be the victim of a cyber-attack and more a question of when The best a
healthcare organization can do is create a robust IRP. One that is detailed enough that
employees at each level of the organization know exactly what they are responsible for during an
incident but not so unwieldy and specific that no one fully reads it or isn’t easily searchable. We
believe that the Kevin Mitnick Memorial Hospital has created such a document with this IRP. It
cannot be stressed enough though that the incident response plan must grow and evolve with the
threat landscape. This is a living document that should be reviewed and revised at least twice a
year and more so when necessary to address a specific advanced persistent threat (APT,)
changing health legislation, etc.
Revision History
Revision Revised By Date Revised Next Review Date
1
2
3
4
5
6

11. 11
Appendix 1
KMMHS Third Party Risk Assessment Form
In order to meet privacy regulations, The Kevin Mitnick Memorial Hospital system
(KMMHS) must have the following information about the applications that are used to create,
store, view, maintain or transmit our data. We appreciate your help in returning this form to us as
quickly as possible. Feel free to attach diagrams or other supporting documents if they are
relevant.
The information you provide will be reviewed by KMMHS’s IT Department, Compliance
Department and/or the IT Security Department. And your responses are confidential.
Application Information Response
What is the application name?
What is the name of the company
that provides the application?
Who is the primary application
contact for this third party interface
at KMMHS?Who is the IT Security Team
Manager contact for this
application?
Please describe how is the
application used?
Does this application create, store,
view, maintain or transmit Protected
Health Information (PHI), Personal
Identity Information (PII), or
Payment Card Information (PCI)?
Yes No
If the answer to the above question is “No,” please identify who completed this form
Completed By (Name): _________________________________________________
Date___/___/___
Signature: _______________________________________________
and STOP.
If the answer is “Yes”, please continue.

12. 12
This section to be completed by the third party vendor.
Completed by vendor contact: _________________________________________
Date___/___/___
Signature: _______________________________________________
User Authentication Controls Response
Does each user have a unique login or identifier? Yes No
Are users automatically logged off after some period of time? Yes No
What is the automatic log off time period?
(# of minutes)Are accounts automatically locked if there are failed login attempts? Yes No
What is the number of failed attempts that are allowed before an account is
locked? (# of attempts)
Does the application require users to change their password? Yes No
How often must users change their password?
(# of days)What is the minimum password length?
(# of characters)Are upper/lower case, numbers and special characters supported in
passwords?
Yes No
Are passwords encrypted while stored? Yes No
Are passwords encrypted when transmitted? Yes No
User Authorization Controls Response
Is user access reviewed and authorized before being granted? Yes No
Is user access based upon the principle of ‘least privilege’? Yes No
Are role based user profiles defined and used? Yes No
Is separation of duties addressed when user access is granted? Yes No
Is user access reviewed periodically to ensure that access is appropriate? Yes No
Is there a process for removing access for terminated employees? Yes No
User Access Monitoring Response
Are user log on (successful and failed) attempts logged? Yes No
Are user transactions (application activities) logged? Yes No
Is log/audit trail data protected (files cannot be deleted or modified)? Yes No
How long is log/audit trail data retained?
(# of months)Is log/audit trail data reviewed periodically to detect anomalies? Yes No
What is the frequency for log/audit trail review? (# of
times per week)If an anomaly is detected, is an incident response process in place to
investigate?
Yes No
Data Protection Controls Response
Is the application data classified as “protected”? Yes No
If data is classified as protected, is data encrypted while at rest? (stored data
encryption)
Yes No
Is protected data encrypted while in transit? (data in motion encryption) Yes No
What encryption standard is used? (for example: AES-128, AES-256, Triple
DES)

13. 13
Is protected data stored within a database? Yes No
What database is used? (for example: SQL Server, Oracle)
Do you back up data on a regular basis? Yes No
Is protected data stored or accessed from a thumb drive or other portable
media?
Yes No
Do you have a process in place to destroy portable media that contains
protected data?
Yes No
Do you allow personally owned devices to access protected data? Yes No
Do you have processes in place to destroy protected data that may be
printed?
Yes No
Is there a disaster recovery plan for this application? Yes No
Do you have a plan to continue operating in case of an emergency? Yes No
Do you have a process for testing and applying patches or updates to your
systems and applications?
Yes No
Is there are process to identify and remediate application vulnerabilities? Yes No
Please attach an application data map that shows the flow of all protected information.
This section is to be used to document any comments or risks that are not easily explained when
responding to the questions. Each numbered line is intended to be used for each unique
discussion item.
1.
2.
3.
4.
5.
6.
7.
8.
Completed By (Name): _________________________________________________
Date___/___/___
Signature: _______________________________________________
Thank you for your help.
To be completed by KMMHS.
Reviewed By (IT Security Team Member Name): ____________________________________
Date___/___/___
Signature: _______________________________________________

14. 14
Appendix 2
Manufacturer Disclosure Statement for Medical Device Security Form

15. 15
Bibliography
Verizon Enterprise Solutions “2014 Data Breach Investigation Report,”
Catalan, Brandon, “ADJ-581 Principles of Forensics, Week 12, Crime Scene/Incident
Procedures” Salve Regina University
Cichonski, Paul, Millar, Tom, Grance, Tim, Scarfone, Karen. “Computer Security Incident
Handling Guide; Recommendations of the National Institute of Standards and
Technology.” National Institute of Standards and Technology:U.S. Department of
Commerce, Special Publication 800-61, Revision 2.
http://dx.doi.org/10.6028/NIST.SP.800-61r2 (accessed February 23, 2017)
De Voe, Charles and Rahman, M Syed (Shawon), “Incident Response Plan For a Small to
Medium Sized Hospital.” International Journal of Network Security & Its
Applications, Vol 5, No. 2 (March 2013)
Durkan, Jenny A., Cobb, Alicia, “After a Cyber Breach, What Laws Are in Play and Who
Is Enforcing Them?” The Cybersecurity Law Report, Vol 1, No 4 (May 2015)
Federal Deposit Insurance Corporation, “Incident Response Programs: Don’t Get Caught
Without One,” Supervisory Insights
Forcepoint, “The Cost of the Unintentional Insider,” Forcepoint, Powered by Raytheon
Hathaway, Melissa, “United States of America Cyber Readiness at a Glance,” Potomac
Institute for Foreign Policy, (September 2016)
Hau, Bill, “Incident Response:A New Model Needed,” 2013 Incident Response Survey
Report, Information Security Media Group
HIMSS, “2016 HIMSS Cybersecurity Survey,” Healthcare Information and Management
Systems Society
HIMSS, “Manufacturer Disclosure Statement for Medical Device Security (MDS2,”) Healthcare Information and
Management Systems Society
Imprivita, “The C-Suite Battle Plan for Cyber Security Attacks in Healthcare,” (2015).
“Malware Trends; Industrial Control Systems Emergency Response Team (ICS-
CERT) Advanced Analytical Laboratory (AAL,”) National Cybersecurity
Communications Integration Center (October 2016)
KnowB4, “Best Practices for Dealing with Phishing and Ransomware,” An Osterman Research

16. 16
White Paper, (September 2016)
McArdle, Jennifer, “Developing an Effective Cyber Incident Response Plan Lecture,” Salve
Regina University
Murphy, Sean. Healthcare Information Security and Privacy. New York: McGraw-Hill,
(2015)
NIST, “Computer Security Incident Handling Guide,” Special Publication 800-61
(August 2012),
Ponemon Institute,“The Cyber Resilient Organization: Learning to Thrive Against
Threats,” (September 2015)
Ponemon Institute (2016), “Sixth Annual Benchmark Study on Privacy & Security of Healthcare
Data.” Page 1-32.
PWC, “Cyber Crisis Management: A Bold Approach to a Bold and Shadowy Nemesis,”
(Aug 2011)
Sans Institute,“Protection of Information Assets,” Info Sec Reading Room (2002).
Siemens Healthineers “DX Privacy Incident Management Process Guidance.” H DX
Product Security & Privacy Office (Revised June 30, 2014)
Siemens Healthineers “Security Incident Report Form.” GP-099 DX-Product Security
Common Procedures – Version 1.0
Verizon Enterprise Solutions “2014 Data Breach Investigation Report,”
World Economic Forum, “Risk and Responsibility in a Hyperconnected World,”
(January 2014)