On April 1, a cross-section of healthcare industry information security executives took part in the first full-day interactive simulation of an industry-wide cyber threat. During the CyberRX simulation, put on by the nonprofit Health Information Trust Alliance (HITRUST) in coordination with the U.S. Dept. of Health and Human Services, companies displayed a wide range in terms of organizational preparedness for processing threat intelligence and communicating and engaging with other stakeholders, internally and externally, noted Jim Koenig, principal, Global Leader, Commercial Privacy, Cybersecurity and Incident Response for Health at consulting firm Booz Allen Hamilton.
Participants in the CyberRX exercise included athenahealth, Children’s Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group, the U.S. Department of Health and Human Services and WellPoint.
Here are the four exercises the participants worked through:
• A major news network has just reported a posting of a large file of usernames and plain text passwords represented to be participants across the U.S. healthcare system. The report sensationally states that the file contains usernames and passwords for patients, doctors, and nurses across the industry. The conclusion of the expert is that Healthcare.gov has been compromised as have offices, hospitals, and major insurance companies. These reports are widely repeated and amplified across major news networks.
• A blogger reports customer data for three major health plan providers’ networks have been infiltrated for months and they have full access to customer data.
• During a drug raid in California, the FBI discovers a large quantity of forged doctor prescription pads and the information gets leaked to the public.
• Local news reports a doctor in California is being interrogated on suspicion of altering radiology readings.
Koenig said the exercise helps enhance awareness of cyber threats to the healthcare services industry, and helps providers understand risk to the healthcare system and patients due to disruptions. A goal is to promote information sharing about cyber threats and vulnerabilities among healthcare organizations and government.
“The growing adoption and widespread use of mobile devices in healthcare increases the exposure to potential attacks,” Koenig said. An exercise such as this allows chief information security officers to think about interconnectedness and the choreography of a joint response between the industry and government.
Although they all face the potential chill from legal restrictions, participants suggested that greater industry-wide collaboration is needed and that HITRUST’s Cyber Threat Intelligence and Incident Coordination Center should be enhanced to better support broader and more effective collaboration.
Kevin Charest, chief information security officer for HHS, said the exercise demonstrated how challenging information sharing can be, but said his organization found it very worthwhile and that HHS would continue to participate. “We are all together in this fight.”
The next CyberRX exercise is scheduled for Summer 2014.