HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness

December 4, 2015
by Heather Landi
| Reprints

Following a cyber attack simulation for health plans conducted this past summer, Frisco, Texas-based Health Information Trust Alliance (HITRUST), an industry working group, revealed the results of the exercise and recommended five top actions for healthcare organizations to improve their ability to respond effectively when a cybersecurity incident occurs.

In coordination with Deloitte Advisory Cyber Risk Services and the U.S. Department of Health and Human Services (HHS), HITRUST conducted the CyberRX Health Plans Cyber Simulation Exercise this past summer with the goal of exercising the capabilities of a group of health plans to respond to a wide-scale cyber attack. The CyberRX exercise brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement.

As a result of CyberRX, HITRUST outlined a number of recommendations, including the need for healthcare organizations to develop incident response integration with third parties.

“CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach,” HITRUST stated.

HITRUST also recommends that organizations use their incident response plans and that those plans should include information about how to engage insurers and information about insurers’ cyber insurance claims processes.

“While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency,” HITRUST stated.

And the recommendations included sharing threat intelligence and involving law enforcement at the right time. According to HITRUST’s report, several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.

“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached,” HITRUST CEO Dan Nutkis said in a statement. “Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy.”

Sara Hall, chief information security officer for HHS, said, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry.”

Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making.



Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.