The planned cyber attack simulation CyberRX revealed a need for healthcare organizations to better engage their stakeholders in their preparedness plans and to be more open about best practices to help the industry as a whole improve.
The attacks, carried out on April 1 by HITRUST and the U.S. Department of Health & Human Services, included scenarios involving medical devices, health information systems, health exchanges and HealthCare.gov, according to a report, which outlines four findings from the exercises:
- Organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
- Organizations' preparedness benefits from improved threat intelligence processing capabilities and increased engagement with stakeholders. Those stakeholders, in addition to IT, may include legal/privacy, crisis management, business/clinical operations, management and external business partners.
- Organizations seek more "freedom" to communicate and collaborate during a cyber crisis despite potential legal restrictions and liabilities.
- Incident response coordination and collaboration capabilities are crucial. "Organizations are realizing their internal playbooks are not as complete as they need to be," Kevin Charest, chief information security officer at HHS and "exercise captain" for the simulation, recently said. That includes getting back to basics such as knowing who to call when an incident has occurred.
In addition, the exercises revealed that a generic national cybersecurity framework for critical infrastructure is not sufficient to support healthcare. Charest, in an announcement accompanying the report, called the exercise a "significant step" in helping organizations identify existing security gaps.
The recent "Heartbleed" vulnerability in the popular OpenSSL cryptographic software library has provided a real-world test of organizations' preparedness. Even if no data is compromised, it can erode trust in healthcare IT, according to Boston-based health attorney and FierceHealthIT Editorial Advisory Board member David Harlow.
Participants of the CyberRX exercise included athenahealth, Children's Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group, HHS and WellPoint.
CyberRX has prompted more calls for industry- and company-specific exercises to help organizations test their preparedness. A second drill is planned for this summer.