Cyber Incident Response and Management

Any organisation that works with digital technologies and deals with (sensitive) personal data should have an incident response strategy in place. Recent reports indicate that healthcare organisations still needs improving in this area, as plans were either informal or non-existent (Snell, 2018). Incident response is a crucial part of managing cybersecurity risks before, during and after they manifest, but it is still a major challenge for healthcare organisations, especially in terms of, for instance, eHealth security (ENISA, 2015, p. 27).

According to ENISA (2016, p. 7): “Incident response and management is the protection of an organisation’s information by developing and implementing an incident response process (e.g. plans, defined roles, training, communications, management oversight) in order to quickly discover an attack and then effectively contain the damage, eradicate the attacker’s presence, and restore the integrity of the network and systems.”

Iterative and dynamic cycle

Incident response is used to describe all actions by an organisation (or a specific team within an organisation) to handle cyberattacks or incidents. These actions most often concern the short-term effects of security incidents (HIMSS, 2017).

HIMMS (2017) describes the following questions should guide security incident response activities when the incident is detected:

  • What is the scope of the incident?
  • What is the origin of the incident? (Find answers to who/what/where/when?)
  • In which phase of progression is the incident? (Active, finished, spilled over to other areas?)
  • How did the incident occur?

However, this does not cover the full scope of adequate incident response and management. Completing the process of reviewing an incident should not simply stop with that incident. Any incident should not be considered to be an isolated and one-time act. Instead, there should be continuous evaluation process occuring in relation to cyber incidents (Bandos, 2019; Jalali, Russell, Razak, & Gordon, 2019).

Incident response plans

Having a holistic Incident response strategy or plan in place will greatly increase an organisation’s resilience. Organisational resilience pertains to an organisation’s ability to “anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper (BSI, n.d.).”

As described more elaborately by the SANS Institute (Kral, 2012), the following steps are part of a good incident response and management plan:

  • Preparation: Set up guidelines for response and documentation. Conduct risk analysis and put preventative measures and protection in place. If possible, limit the interdependence of systems as much as possible (proactive containment).
  • Identification: Identify the incident, where it originates from, and in which phase it is (on-going, complete, spillover).
  • Containment: Disconnect systems or devices that are not critical to the organisation from the network.
  • Eradication: Remove malware, infected devices, and reboot systems. If necessary, restore a backup.
  • Lessons Learned: Review the incident, the activities that led up to it as well as the activities to respond and manage it. Detailed documentation of response activities is necessary. The outcomes should feed back into the preparation phase.

See the Incident Handler’s Handbook for more information about these steps and how to implement them: 

For additional recommendations, see the article by Jalali et al. (2019):

Key challenges for Incident response and management

There are four key challenges organisations face in their incident response cycle (ENISA, 2016, pp. 13–14):

  1. Human Resources: it is difficult to find and hire skilled IT security personnel due to shortages in the field.
  2. Processes and procedures: preparing and developing an operable incident response plan is a complex task.
  3. Political and legal framework: the need for an incident response plan, and the additional financial spending it may require, may not be fully understood in all layers of the organisation.
  4. Technology (tools and data): with the increased digitalisation, incident response requires more and more advanced tools and technologies, but organisations may not have these available to them.

Simply investing more money in cybersecurity and related areas is not always effective. Some research has shown that the prevalence of data breaches has increased alongside the investment in security measures (i-Scoop, n.d.). As such, incident response plans should take into account the available resources of the organisation, even if (or especially when) there are limited resources.

To facilitate discussions for developing effective cybersecurity incident management plans and strategies, the following guide by the Center for Disease Control and Prevention (2016) may be helpful in the process of determining readiness for managing cyber-incidents:

Further reading and resources

For further information on these topics, in addition to the referenced texts, these sites provide further means of support around Incident response and management:


Bandos, T. (2019, June 26). The Five Steps of Incident Response. Retrieved 26 August 2019, from Data Insider – Digital Guardian website:

ENISA. (2015). Security and Resilience in eHealth Infrastructures and Services [Report/Study]. Retrieved 27 August 2019, from

ENISA. (2016). Strategies for efficient incident response and coordination towards cyber threats. Retrieved from

HIMSS. (2017, August 7). Topic Brief: Cybersecurity Incident Response. Retrieved 27 August 2019, from HIMSS website:

i-Scoop. (n.d.). Evolutions in healthcare and cybersecurity threats – beyond compliance. Retrieved 27 August 2019, from i-SCOOP website:

Jalali, M. S., Russell, B., Razak, S., & Gordon, W. J. (2019). EARS to cyber incidents in health care. Journal of the American Medical Informatics Association, 26(1), 81–90.

Snell, E. (2018, March 20). Improving Cybersecurity Response in Healthcare Organizations. Retrieved 27 August 2019, from HealthITSecurity website: