HITRUST/HHS First CyberRX Collaboration Results Revealed

HITRUST LogoHITRUST Highlights Steps to Support Health Industry against Cyber Threats

FRISCO, TX – HITRUST, in coordination with the U.S. Department of Health and Human Services (HHS), revealed the results of the healthcare industry’s first cyber attack simulation, CyberRX. CyberRX is a series of industry-wide exercises used to evaluate the response and threat preparedness of healthcare organizations against attacks and attempts to disrupt U.S. healthcare operations. The unanimous findings from the exercise are:

  • Organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
  • Organizations’ preparedness benefits from improved threat intelligence processing capabilities and increased engagement with stakeholders. Organizations varied in their preparedness for processing threat intelligence or with communicating and engaging other stakeholders internally and externally; this issue extends beyond IT to legal/privacy, crisis management, business/clinical operations, management and external business partners; additionally organizations vary in their appetite for and ability to process threat intelligence.
  • Organizations call for greater “freedom” to communicate and collaborate during a cyber crisis and to have a view across the healthcare ecosystem, including common vendors and partners – despite potential legal restrictions and liabilities; participants also had varied opinions on how best to engage law enforcement.
  • Incident response coordination and collaboration capabilities are crucial and the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) capabilities should be enhanced to better support broader and more effective collaboration.

An additional finding is that today’s model of a generic national cybersecurity framework for critical infrastructure is not sufficient to support healthcare organizations in the current cyber threat landscape.

“The growing adoption of new and connected health information technologies and widespread use of mobile devices continue to increase the industry’s exposure to potential attacks,” said CyberRX observer Jim Koenig, Principal, Global Leader, Commercial Privacy, Cybersecurity and Incident Response for Health, Booz Allen Hamilton. “The simulation will help better prepare organizations in the healthcare industry against sophisticated threat actors, and assist leaders in identifying organizational vulnerabilities and opportunities for industry cooperation. We believe this industry-specific approach, if not already being used, is a model from which other critical infrastructure sectors can learn and benefit.”

In fact, the recent “Heartbleed” vulnerability in the popular OpenSSL cryptographic software library presented a valuable real world test of the benefits of these exercises. More than one CyberRX exercise participant has indicated they leveraged lessons learned from the CyberRX exercise to react quickly and more effectively address the issues.

Another important finding of the Spring 2014 CyberRX is the desire for more industry and company-specific exercises. Healthcare organizations will use these to help evaluate their programs, make internal written procedures come alive, and finely tune response processing and the choreography of communications between internal departments and external industry and government stakeholders.

CyberRX attack scenarios included medical devices, health information systems, health exchanges and healthcare.gov. Participants of the CyberRX exercise included: athenahealth, Children’s Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group, U.S. Department of Health and Human Services and WellPoint.

“The initial exercise, although limited in number of participants, is a significant step in establishing an industry CyberRX exercise playbook and formal program; identifying areas where organizations should focus; identifying opportunities for greater collaboration and information sharing between organizations, HITRUST and government; and identifying what gaps exist and where industry needs additional support to better prepared,” said Kevin Charest, Chief Information Security Officer, U.S. Department of Health and Human Services.

HITRUST’s Key Steps in Health Industry Cybersecurity Roadmap
HITRUST has been dedicated to helping organizations safeguard health information with the development of the HITRUST Common Security Framework (CSF), CSF Assurance program and C3. HITRUST is committed to continuing its support of the healthcare industry by expanding and enhancing its programs and services to ensure healthcare organizations of all sizes can effectively mitigate the risks posed by cyber threats.

In response to the CyberRX findings, HITRUST has established a “Health Industry Cybersecurity Roadmap” which includes:

  • Linking HITRUST C3 cyber threat intelligence reports to CSF Controls, evaluating current control guidance per threat report and publishing supplemental guidance, if required
  • Enhancing and expanding the collaboration and incident response capabilities of HITRUST C3
  • Supporting twice yearly CyberRX exercises

“The exercise provided valuable information to help us identify gaps and deficiencies in the current programs we provide to industry. The recommendations are already being implemented, such as ensuring cyber threat reports are coded to CSF controls and the CSF guidance effectively addresses cyber threats targeted at industry – a powerful combination that, when aligned, enables the most timely, relevant and effective framework for cybersecurity,” said Daniel Nutkis, CEO, HITRUST.

Mr. Nutkis continued, “Also benefiting from the exercise is the HITRUST C3, which has grown into the most effective and active information sharing and analysis organization serving the healthcare industry, as we now have better insights into how organizations of different sizes and sophistication want to engage, consume and share cyber threat intelligence and incident information.”

CyberRX Methodology
These Cyber exercises are conducted in partnership with HITRUST, U.S. Department of Health and Human Services (DHHS) and healthcare industry organizations. The inaugural Spring 2014 exercise was held on April 1, 2014 and was a full-day interactive simulation designed by a steering committee of industry leaders and observed by Booz Allen Hamilton. Participants included providers, health plans, prescription benefit managers, pharmacies, HITRUST C3 and DHHS.

The exercises examined both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry. The steering committee in coordination with Booz Allen Hamilton developed a CyberRX Exercise Playbook that outlined the rules, responsibilities and scenarios of the exercise and organizational referees. Objectives included:

  • Enhance awareness of cyber threats to the healthcare services industry
  • Explore responses to maintain operations in face of complex risks
  • Understand systemic risk to the healthcare system and patients due to disruptions
  • Promote information sharing about cyber threats and vulnerabilities among other healthcare organizations and government

The preliminary report, titled “CyberRX – Health Industry Cyber Threat Exercise Spring 2014 – Call for Action and Collaboration,” includes more detailed findings and recommendations and can be downloaded at http://www.hitrustalliance.net/cyberrx/. The next CyberRX exercise is scheduled for Summer 2014, which will include implementation of some of the recommendations outlined in this report. For more information or to participate in the Summer 2014 CyberRX exercise please visit http://www.hitrustalliance.net/cyberrx/.

About HITRUST
The Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information privacy, risk and security leaders, has established a number of programs to support any and all organizations that create, access, store or exchange personal health and financial information. HITRUST is supporting the industry through its framework, assurance program, cyber center, risk management tools, education and leadership. It is also driving the widespread confidence in the industry’s safeguarding of health information through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.