More than 750 healthcare organizations have signed up for the second round of cyberattack simulations to be carried out beginning in October by HITRUST and the U.S. Department of Health and Human Services.
CyberRX 2.0 will be no-cost exercises aimed at improving organizations' preparedness and response against cyberattacks, according to an announcement. They will include scenarios targeting information systems, medical devices and other healthcare technology.
"HITRUST wanted to establish an expanded approach that supports a large percentage of the healthcare industry [and] allows organizations with varying levels of knowledge and resources to engage in and benefit from the program," Daniel Nutkis, CEO of HITRUST, said in the announcement. "We believe CyberRX 2.0 will foster participation by organizations across the spectrum and, ultimately, the maturity of the industry as a whole."
Just 10 private organizations took part in the first CyberRX exercises in April. Since then, there's been plenty for healthcare organizations to worry about, including a hacktivist attack on Boston Children's Hospital; continuing breaches, including 4.5 million patient records exposed at Community Health Systems; and record fines being levied for HIPAA violations.
CyberRX 2.0 will feature three levels:
- Level I - Local (Basic), October – December 2014: "Table-top" simulations that an organization can use to evaluate its cyber threat readiness and response primarily focused on internal processes
- Level II – Regional (Mature), January 2015 – April 2015: Graduates from Level 1 can take part in this more sophisticated regional exercise that offers the opportunity to build collaboration between multiple organizations simultaneously
- Level III – National (Leading), June 2015 and July 2015: About 50 organizations that have completed Level II are expected to be chosen to take part in this comprehensive simulation to evaluate internal and external cyber threat readiness and response
The CyberRX 2.0 Exercise Playbook with Level I scenarios, which organizations can use regardless of whether they take part, is to be released Oct. 1.
The first round revealed, among its lessons, that healthcare organizations need to better communicate and collaborate in their efforts to secure their systems. Too often, liability concerns hamper efforts to learn from each other.
To learn more:
- here's the announcement