CyberRX: Healthcare industry’s first cyber attack simulation

HITRUST, in coordination with the U.S. Department of Health and Human Services (DHHS), revealed the results of the healthcare industry’s first cyber attack simulation, CyberRX.

CyberRX is a series of industry-wide exercises used to evaluate the response and threat preparedness of healthcare organizations against attacks and attempts to disrupt U.S. healthcare operations. The unanimous findings from the exercise are:

  • Organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
  • Organizations’ preparedness benefits from improved threat intelligence processing capabilities and increased engagement with stakeholders. Organizations varied in their preparedness for processing threat intelligence or with communicating and engaging other stakeholders internally and externally; this issue extends beyond IT to legal/privacy, crisis management, business/clinical operations, management and external business partners; additionally organizations vary in their appetite for and ability to process threat intelligence.
  • Organizations call for greater “freedom” to communicate and collaborate during a cyber crisis and to have a view across the healthcare ecosystem, including common vendors and partners – despite potential legal restrictions and liabilities; participants also had varied opinions on how best to engage law enforcement.
  • Incident response coordination and collaboration capabilities are crucial and the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) capabilities should be enhanced to better support broader and more effective collaboration.

An additional finding is that today’s model of a generic national cybersecurity framework for critical infrastructure is not sufficient to support healthcare organizations in the current cyber threat landscape.

“The growing adoption of new and connected health information technologies and widespread use of mobile devices continue to increase the industry’s exposure to potential attacks,” said CyberRX observer Jim Koenig, Principal, Global Leader, Commercial Privacy, Cybersecurity and Incident Response for Health, Booz Allen Hamilton. “The simulation will help better prepare organizations in the healthcare industry against sophisticated threat actors, and assist leaders in identifying organizational vulnerabilities and opportunities for industry cooperation. We believe this industry-specific approach, if not already being used, is a model from which other critical infrastructure sectors can learn and benefit.”

In fact, the recent Heartbleed vulnerability in the popular OpenSSL cryptographic software library presented a valuable real world test of the benefits of these exercises. More than one CyberRX exercise participant has indicated they leveraged lessons learned from the CyberRX exercise to react quickly and more effectively address the issues.

Another important finding of the Spring 2014 CyberRX is the desire for more industry and company-specific exercises. Healthcare organizations will use these to help evaluate their programs, make internal written procedures come alive, and finely tune response processing and the choreography of communications between internal departments and external industry and government stakeholders.

CyberRX attack scenarios included medical devices, health information systems, health exchanges and healthcare.gov. Participants of the CyberRX exercise included: athenahealth, Children’s Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group, U.S. Department of Health and Human Services and WellPoint.

“The initial exercise, although limited in number of participants, is a significant step in establishing an industry CyberRX exercise playbook and formal program; identifying areas where organizations should focus; identifying opportunities for greater collaboration and information sharing between organizations, HITRUST and government; and identifying what gaps exist and where industry needs additional support to better prepared,” said Kevin Charest, Chief Information Security Officer, U.S. Department of Health and Human Services.