HITRUST launching cyber attack exercises

The Health Information Trust Alliance (HITRUST) will lead an industry-wide effort to conduct exercises to simulate cyber attacks on healthcare organizations. The results of CyberRX will be used to evaluate the industry’s response and threat preparedness against attacks and attempts to disrupt U.S. healthcare industry operations, according to an announcement.

CyberRX will be conducted in partnership with the Department of Health and Human Services (HHS) and major healthcare industry companies and will include the participation of providers, health plans, prescription benefit managers, pharmacies and pharmaceutical manufacturers and HHS. The exercises will examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry, according to the announcement. CyberRX findings will be analyzed and used to identify areas for improvement in the coordination of the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C³); with security and incident response programs; and in information sharing between healthcare organizations, HITRUST and government agencies. These findings will be summarized into a report distributed to the industry and presented at HITRUST 2014 in April.

“We have been coordinating and collaborating with HITRUST to enhance the resources available to the healthcare industry,” said Kevin Charest, HHS' chief information security officer, in the announcement. “Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyber attacks. This exercise will generate valuable information we can use to improve our joint preparedness.”

HITRUST will coordinate two CyberRX exercises. The initial exercise will take place over a two-day period this spring and the second will take place this summer.

In addition to aiding organizations in evaluating their own processes, the March exercise will focus on the following objectives:

• Developing a better understanding of the healthcare industry’s cyber threat response readiness;
• Measuring the effectiveness of the HITRUST C³ in supporting the healthcare industry and opportunities for improvement;
• Testing the coordination with the U.S. Department of Health and Human Services relating to cyber threats and the healthcare industry response; and
• Documenting threat and attack scenarios of value for future exercises engaging additional healthcare industry organizations and in support of industry preparedness.

HITRUST and HHS held a Health Industry Cyber Threat Preparedness Summit in December 2013 to discuss numerous topics around the healthcare industry’s cyber threat preparedness and coordination and response. One of the recommendations was to evaluate the industry’s preparedness and HITRUST C³ effectiveness through an industry-wide cyber attack and response exercise. The Spring 2014 CyberRX exercise will include 12 organizations. The group is predominantly comprised of Summit-participating organizations, such as Children's Medical Center Dallas, CVS Caremark, Express Scripts, Health Care Service Corp, Highmark, Humana, UnitedHealth Group, and WellPoint. HITRUST is currently soliciting participation for the summer 2014 CyberRX exercise.

“As cyber threats continue to increase and the number of attacks targeted at healthcare organizations rise, industry organizations are seeking useful and actionable information with guidance that augments their existing information security programs without duplication or complication,” said Daniel Nutkis, CEO of HITRUST. “CyberRX will undoubtedly provide invaluable information that can be used by organizations to refine their information protection programs and will enable HITRUST C³ to better serve the healthcare industry and support public and private industry partnerships.”

Healthcare organizations interested in participating in the summer 2014 CyberRX exercise can register to receive additional information or to learn more about HITRUST C³ by visiting www.hitrustalliance.net/c3/.