The RECOVER function of the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) only includes three categories, but do not substitute length for importance. The RECOVER function, as its name implies, ensures that organizations can rebuild itself and its reputation after an attack.

“Many people see recover as the most important step,” said Symantec CISSP strategist Ken Durbin in our recent webinar on demystifying the NIST CSF. “We all know we are going to get attacked, so why wouldn’t the ability to recover be an important part of a cyber security strategy.”

The RECOVER function of the NIST CSF focuses on three core areas:

Recovery planning. Healthcare organizations need a recovery plan during and after an event. That plan needs informative references that can help immediately after an attack, and should include multiple stakeholders in the process such as IT executives/managers, compliance officers, administrators, physicians and the like. However, this plan cannot be simply written and thrown in a drawer – it needs to be reviewed every few months and updated as necessary. Organizations should also rehearse it before an attack to look for areas to improve and discover any fundamental flaws.

Improvement. Recovery plans need to be updated after an attack to incorporate lessons learned. Recovery plans lose value if the owners do not take the time to analyze what happened in an attack and use that information to improve operations. A recovery plan needs to be a living document that is under constant review.

Communications. Cyber security breaches never look good. Healthcare organizations need to have a plan for communicating what happened to stakeholders. Providing inaccurate information, or trying to hide a breach, can have a more negative impact on an organization than the breach itself. Organizations should look at how public relations will be managed, who will be authorized to talk to press and how people affected will be contacted. They must also pre-determine the process of reporting the incident to the Ownership and Control Reporting (OCR) function.

The NIST CSF provides guidelines for healthcare organizations to recover after an attack. Like the other aspects of the NIST CSF these have been created to help leaders understand where their cyber operations face additional risk. Some organizations will be content with the risk they face while others will use the NIST CSF as a guide for future investment.

The NIST CSF can provide healthcare organizations with valuable tools. Throughout this series we’ve looked at all the different functions of the framework. To view previous webinars please click here. And, join us next week on December 5 for the final webinar in our series as we explore how to implement the NIST CSF in your organization.