Securing the Health IT Ecosystem: 5 Steps to Automated Incident Response

With more information and health data access points than ever before, IT organizations must take security risks seriously. That’s especially true today: According to one report from Risk Based Security, the first six months of 2021 saw 1,767 publicly reported breaches that exposed a total of 18.8 billion records. Another report from Constella Intelligence found the health IT industry experienced a 51% increase in exposed records between 2019 and 2021.  Moreover, IT leaders must take steps to stop these breaches in their tracks. But implementing security best practices is not simply a box to check. It will require continuous monitoring on behalf of leaders and staff across the health IT ecosystem. 

Indeed, with so much to do and only so many security analysts, health care organizations are turning to automation to streamline and accelerate their incident response efforts. At the 2021 CMS Cybersecurity Forum, Benjamin Hostetler, senior information security advisor at National Government Services, offered tangible steps for how organizations can automate their vulnerability scanning and incident response processes. 

The Case for Automation 

While many organizations have adopted artificial intelligence and automation, others are more reluctant. But regardless of where you stand on the matter, the data about automation speaks for itself. 

When it comes to security control compliance, for example, health IT organizations can gain a significant return on investment by automating the process. 

“Each [automation] action calculates out to a monetary value, such as if an associate does those exact same actions,” Hostetler explained at the event. “So, what we can do is we can actually calculate out and give a projection on . . .  the amount of time that we have saved using these automation capabilities, as well as ‘this is the dollar amount that we actually can potentially project out if we had to hire personnel to do these types of activities.’”

Time to resolution is also a key factor to consider when reaping the benefits of automation. 

“Mean time to resolution . . .  is also a great data point,” Hostetler said. “We typically look at that [in terms of] ransomware or a phishing attempt, and how long did it take the incident response group to actually resolve those?” 

To test the hypothesis that automation can help teams resolve incidents faster and more efficiently, Hostetler and his team tracked mean time to resolution during RA-5, a vulnerability management control from NIST-800-53. 

Automating the vulnerability scanning process cut mean time to resolution from an hour to a minute. Meanwhile, Hostetler also tested this hypothesis on vulnerability management controls AU-6 and AC-2, yielding similar results. 

“We reduced those down from 30 minutes to 5,” he noted. 

Resolving Common Obstacles to Automation 

Despite all these benefits to implementation, automating security processes and procedures is not without its obstacles. Poor integration and interoperability among systems and platforms, a lack of clearly defined objectives and a limited number of use cases can make it difficult to seamlessly integrate automation into existing workflows. As a result, Hostetler says many organizations hesitate to invest in this technology. 

However, he recommends a five-step framework that can help drive automation initiatives forward:

Step 1: Identify 

The first phase of this framework is an opportunity for IT organizations to view their existing vulnerability infrastructure with a critical eye. A number of questions can help inform this step in the process, including:

• What manual processes exist? 
• What manual processes are the most labor-intensive?
• Are integrations possible?
• Will automation reduce costs? 
• What types of milestones can be defined and reached? 
• Where will automation offer the most value?

Step 2: Design

Once IT leaders address these questions and identify a path forward, the next step is to move into the design phase. 

“I find this to be one of the most critical aspects of this process . . .  it really allows us to . . . . make sure . . .  our automation aligns really well with how the current process works.” 

The first step in the design phase is to develop a visual representation of a given process, including all key integrations. Then, control those workflows with the control requirements and collaborate with process owners to ensure all the necessary elements are incorporated into the workflow. 

Step 3: Develop 

To develop the workflow, there are a number of factors to consider. First and foremost, begin by building the integrations into the automation engine. Next, confirm administration configurations are complete and logs are indexed. Then, it’s important to ensure user restrictions are configured to allow appropriate approvals to take place. Finally, test the workflow. 

“If you get bad data in, your execution is going to get wildly erratic at the end. We test each block of the action before we sign off on it and approve it,” Hostetler said.  

Step 4: Document

Documentation, Hostetler added, is a key component of any automation project. Begin this phase by replacing existing standard operating procedures with automation capabilities. This should also include all of the artifacts that will support that process. 

Step 5: Assess 

Finally, an assessment is key to successful implementation. IT teams must operate both automated and manual processes concurrently to ensure each of these processes yields the same results. 

“As with any automation, there’s a possibility that something wasn’t taken into consideration or that there was a break in the workflow chain, so we want to make sure we can rapidly identify deficiencies and gaps, while maintaining the current process to support normal function,” Hostetler explained. 

By bringing automation into the security process and following these steps to ensure successful implementation, health IT teams can improve their incident response efforts, all while saving time and increasing cost efficiency across the organization. 

Learn more about how National Government Services can help you improve your organization’s security posture with automation.