First CyberRX Exercise Outlines Areas for Improvement for Healthcare Organizations
Healthcare organizations are still struggling with information sharing both internally and externally, participants in an industry-wide cyber-security exercise said.
The Health Information Trust Alliance (HITRUST) teamed up with the U.S. Department of Health and Human Service (HHS) in the CyberRX initiative to determine just how prepared organizations were to handle cyber-incidents. The first exercise was conducted over a seven-hour period on April 1, and the results of the first simulations were released Monday. The second exercise is scheduled for this summer.
Throughout the one-day event, organizations were faced with a randomly selected cyber-incident scenario, such as a major username and password breach, a network breach at a health plan provider exposing patient health records, an information leak, or a potential insider threat case. Organizations varied in how prepared they were to process threat intelligence, communicating the information to internal stakeholders, and engaging with external partners in the industry and government.
The "weakness isn't necessarily on technology implementations, it's the ability to coordinate and collaborate across the myriad of participants in healthcare," Roy Mellinger, WellPoint's vice president and CISO, said in a phone briefing on the CyberRX results on Monday.
Despite having mature programs in place to process and identify potential incidents, many organizations still struggled with delivering threat intelligence and incident information with relevant legal or privacy teams, crisis management, business operations, and other management-level stakeholders, the report found. Participating organizations found roadblocks to sharing information with stakeholders outside of their incident response teams and IT departments, said Jim Koenig, principal and global leader for commercial privacy, cybersecurity and incident response for health at Booz Allen Hamilton.
Koenig noted that organizations want to collaborate, but they are often deterred from doing so because of potential legal restrictions regarding how data can be shared. Organizations are also uncertain about when to call law enforcement, he said.
At the conclusion of this round, the participants agreed that more formalized procedures needed to be created so that responsibilities and effective communication processes would be clearly defined.
"The challenge is how to coordinate and collaborate across them all," Mellinger said.
Smaller organizations lacking deep internal cybersecurity resources or seasoned staff tend to rely more heavily on guidance available from other organizations, such as HHS or HITRUST, Mellinger noted. This makes the role of a centralized coordinating agency such as HITRUST's Cyber Threat Intelligence and Incident Coordination Center (C3) doubly important as it facilitates industry collaboration and allows "multiple entities to get the information they need to prepare and respond, regardless of size," Mellinger said.
HITRUST will be enhancing its C3Portal with additional tools to encourage collaboration and support incident response, said HITRUST CEO Daniel Nutkis.
The Heartbleed vulnerability is a very good example of how important it is for organizations to share threat information, Mellinger said. HITRUST issued an industry alert listing companies affected by the OpenSSL vulnerability and where software patches were available, so that healthcare organizations had up-to-date information on the situation.
The simulated attacks covered four major types of incidents. In the password breach scenario, participants saw news reports that a large file containing usernames and plain text passwords belonging to users of Healthcare.gov and various medical facilities and major insurance companies had been leaked. In the network breach scenario, a blogger reported the networks of three major health plan providers had been infiltrated for months and that attackers had full access to patient data. The information leak scenario involved a drug raid in California where law enforcement officials found a large quantity of doctor prescription pads and the information gets leaked to the public. And the final scenario, of insider threat, involved news reports of a California doctor suspected of altering radiology readings.
Various healthcare organizations, including UnitedHealth Group, Humana, Highmark, Health Care Service Corporation (HCSC), AthenaHealth, Cooper Health, WellPoint, the Children's Medical Center in Dallas, CVS Caremark, and Express Scripts participated in this round, and Booz Allen Hamilton was an observer for the drills.
Exercises such as CyberRX help CISOs and other senior managers understand the kind of cyber-threats facing the healthcare services industry and to consider how all the organizations are inter-connected. The exercise would also help define how industry and government can jointly respond to threats.
The exercise demonstrated the challenges of information sharing, said Kevin Charest, CISO of HHS. Even so, the exercise was worthwhile and HHS will continue to participate, Charest said, adding, “We are all together in this fight.”
These types of cyber exercises and cyber attack simulations are becoming more popular among industry organizations, government, and academia.
Late last year, dozens of London-based banks joined other financial institutions for a giant exercise to test their defenses against a cyber-attack. Dubbed "Waking Shark II", details of the exercise were kept secret, but sources said it tested how banks coped with a sustained attack, focusing in particular on investment banking systems.
In November 2013, NATO launched a series of cyber exercises to practice warding off massive, simultaneous attacks on member states and their partners.
In April 2012, Lockheed Martin, hosted emerging cyber leaders from U.S. and Canadian military service academies to test their capabilities against experts from the National Security Agency in the annual Cyber Defense Exercise (CDX).
Additional reporting by Mike Lennon