HHS CISO: Healthcare orgs need to beef up basic security practices

A recent cybersecurity drill found that healthcare organizations to be more willing to share information and best practices, Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services, says in an article at Healthcare Info Security.

Healthcare organizations tend to play it close to the vest because of liability fears, which hampers the industry as a whole in efforts to improve, he said.

The recent CyberRX drill involved information security teams at 13 healthcare sector companies, including a large nationwide retail pharmacy chain, hospitals and health insurance companies. Such a large interconnected system creates more risk, compared with other sectors, he said.

Four cybersecurity exercises were conducted over seven hours including a simulated attack on a state health insurance exchange connected to HHS' HealthCare.gov insurance marketplace and another involving a compromised medical device.

The drill also revealed that some organizations need to improve their "basic blocking and tackling."

"Organizations are realizing their internal playbooks are not as complete as they need to be," he says. That includes getting back to basics such as knowing who to call when an incident has occurred.

"It is clear that one of the conundrums is 'what do I share, and how can I share' so it doesn't cause me liability,'" Charest says. "If you've got a breach or other problem, and you share that [information], what liability have you introduced into your environment? Not liability from a cybersecurity standpoint, but liability from a company standpoint."

More about the lessons learned from the drill will be revealed at an April 21 conference planned by he Health Information Trust Alliance (HITRUST), which is coordinating the drills with HHS. A second drill is planned for this summer.

HHS and HITRUST began monthly threat briefings in April. The free briefings aim to address recent and ongoing cyber threats, lessons learned and offer support for healthcare organizations.

In a mock cyber attack on the Indian Health Service, hackers were able to gain access to a web server, which opened up the internal IHS network along with user account and password data. That high-risk flaw potentially could allow access to the whole HHS network, the report found.

To learn more:
- read the article
- sign up for the threat briefings here