Fire drills are a part of life --- annoying, disruptive, but ultimately, necessary.
Everyone probably remembers the fire drills they had in elementary school. Line up, walk in a straight line, go outside, and do not horse around. Teachers counting kids hurriedly like pit crew members working on a first place car in the Indy 500. Fire trucks pulling up, giving kids something to stare at in wonderment for a few minutes.
Fire drills, I learned in the past few years, do not disappear when you get old. They happen in high school, college, and yes, the workplace. If you work in New York City like me, you still have to deal with fire safety drills. I’m not sure if that’s the case elsewhere in the country, but in this city, there are stringent emergency action plans to which every building must comply. Every few months or weeks, loud noises sharply cut into our office and let us know that we have to go into the hall for a drill.
Through the most unfortunate of circumstances, we’ve seen over the years that preparation for this kind of event is a good thing, even if preparing for it cuts into important work. That’s why I was pleasantly surprised to see the folks at HITRUST, the Frisco, Texas-based industry group working to establish a common security framework (CSF) for the healthcare industry, announce this week that it is going to lead an industry-wide effort to conduct exercises to simulate cyber attacks on healthcare organizations. The effort will be called CyberRX.
CyberRX, HITRUST says, will include providers, health plans, prescription benefit managers, pharmacies and pharmaceutical manufacturers, and the U.S. Department of Health and Human Services (HHS). The exercises will examine both broad and segment-specific scenarios in which hackers target information systems and other essential technologies in a healthcare environment. The simulated data breaches will happen in March, and findings will be summarized in a report at a HITRUST event in April of this year.
Kevin Charest, chief information security officer, U.S. Department of Health and Human Services, stated about the fire drill: "Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyber attacks. This exercise will generate valuable information we can use to improve our joint preparedness."
I’ve heard of leading organizations doing this sort of thing, and certainly simulations aren’t a new concept in healthcare. In fact, our own managing editor, John DeGaspari recently spoke with Alan Brill, the senior managing director at Kroll, a New York-based risk mitigation and response firm, about the seven cyber security trends for 2014. Included in that list was a tidbit about the importance of simulating data breaches.
Still, it’s not exactly a common practice. After all, when I talk to data security experts like Mac McMillan from CynergisTek and Jared Rhoads from CSC, they tell me that most healthcare providers are stuck in a compliance mindset and most don’t take an active role in protecting their data. When it comes to basic protections such as data encryption, even leading organizations are often caught with their proverbial pants down.
Too often, healthcare organizations don’t do anything about a data breach until it’s too late. As these breaches become more routine and sophisticated, this lack of preparation won't be acceptable. Just like a real fire drill prepares children for the unthinkable, this “fire drill” would be a good way to prepare hospitals and healthcare systems for a crippling data breach.
Thoughts? Feel free to write something in the comments below or tweet me at @HCI_GPerna.