Results of first cyber-attack simulation point to need for collaboration
Healthcare organizations would benefit from greater preparedness and collaboration to handle unexpected cyber attacks. This was among several findings reported by HITRUST, the Department of Health and Human Services (HHS) and other officials working on CyberRx, a series of industry-wide exercises used to evaluate the response and threat preparedness of healthcare organizations against attacks and attempts to disrupt U.S. healthcare operations.
The inaugural exercise took place on April 1 and included an interactive simulation designed by a steering committee of industry leaders and observed by Booz Allen Hamilton. Participants included providers, health plans, prescription benefit managers, pharmacies, HITRUST C3 and HHS.
The goals of CyberRx include building awareness of cyber threats; exploring responses to maintain operations in the face of complex risks; understanding systematic risks to patients due to disruptions; and promoting information sharing about cyber attacks, said CyberRx observer Jim Koenig, principal, global leader, commercial privacy, cybersecurity and incident response for health at Booz Allen Hamilton, during a press conference on April 21.
CyberRx is especially important due to the rising use of connected technologies in healthcare, he said. “It’s a good practice for industry to take the puzzle pieces in a program to see how they respond to threat scenarios.”
Koenig listed the following four key observations gleaned from the first CyberRx exercise:
- Organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program. “What we found from comments from participants is that regardless of maturity and comprehensiveness of a program, each one identified areas they want to improve,” he said.
- Organizations’ preparedness benefits from improved threat intelligence processing capabilities and increased engagement with stakeholders. “Organizations varied in their preparedness for processing the threat intelligence that kicked off each exercise,” he said. The ability to communicate and engage other stakeholders was essential, and it extends beyond IT to legal and privacy, crisis management, business and clinical operations, management and external business partners.
- Incident response coordination and collaboration capabilities are crucial and the HITRUST Cyber Threat Intelligence and Incident Coordination Center should be enhanced to better support broader and more effective collaboration.
- Organizations call for greater “freedom” to communicate and collaborate during a cyber crisis and to have a view across the healthcare ecosystem, including common vendors and partners-despite potential legal restrictions and liabilities; participants also had varied opinions on how best to engage law enforcement
An additional finding is that the generic national cybersecurity framework for critical infrastructure is not sufficient to support healthcare organizations in the current cyber threat landscape, according to Koenig.
Officials at HHS understand the risks inherent in the growing interconnected nature of healthcare, and the exercise has prompted recognition within the agency on how hard it is to share cybersecurity information, said Kevin Charest, chief information security officer at HHS. “There are still barriers that require long-term solutions, in terms of legislative and policy.”
In his comments, Roy Mellinger, vice president of IT security and the chief information security officer for Wellpoint, said the exercise showed that healthcare organizations have the technical acumen to handle threats, but collaboration is inadequate.
"It put out some lessons learned and things we need to think through," he said. "There is strength through knowledge, there is strength through collaboration... Sharing will just make us stronger."