Skip to content Skip to navigation

HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness

December 4, 2015
by Heather Landi
| Reprints

Following a cyber attack simulation for health plans conducted this past summer, Frisco, Texas-based Health Information Trust Alliance (HITRUST), an industry working group, revealed the results of the exercise and recommended five top actions for healthcare organizations to improve their ability to respond effectively when a cybersecurity incident occurs.

In coordination with Deloitte Advisory Cyber Risk Services and the U.S. Department of Health and Human Services (HHS), HITRUST conducted the CyberRX Health Plans Cyber Simulation Exercise this past summer with the goal of exercising the capabilities of a group of health plans to respond to a wide-scale cyber attack. The CyberRX exercise brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement.

As a result of CyberRX, HITRUST outlined a number of recommendations, including the need for healthcare organizations to develop incident response integration with third parties.

“CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach,” HITRUST stated.

HITRUST also recommends that organizations use their incident response plans and that those plans should include information about how to engage insurers and information about insurers’ cyber insurance claims processes.

“While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency,” HITRUST stated.

And the recommendations included sharing threat intelligence and involving law enforcement at the right time. According to HITRUST’s report, several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.

“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached,” HITRUST CEO Dan Nutkis said in a statement. “Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy.”

Sara Hall, chief information security officer for HHS, said, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry.”

Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making.



OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.

Kansas Health Information Network Expands its Network across State Lines

The Kansas Health Information Network (KHIN) has announced that it is expanding its horizons, and is now connected to Health Information Exchange Texas (HIETexas).

CMS Selects Vendor to Modernize Critical Identity Infrastructure

The Centers for Medicare & Medicaid Services (CMS) last week announced it had selected San Francisco-based vendor Okta to enhance the security of its information systems.

Mayo Clinic, ASU Partner for Medical Education, Healthcare Innovation

The Mayo Clinic and Arizona State University have announced a partnership centered on transforming medical education and healthcare in the U.S. through a variety of innovation efforts.

CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.