HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness

December 4, 2015
by Heather Landi
| Reprints

Following a cyber attack simulation for health plans conducted this past summer, Frisco, Texas-based Health Information Trust Alliance (HITRUST), an industry working group, revealed the results of the exercise and recommended five top actions for healthcare organizations to improve their ability to respond effectively when a cybersecurity incident occurs.

In coordination with Deloitte Advisory Cyber Risk Services and the U.S. Department of Health and Human Services (HHS), HITRUST conducted the CyberRX Health Plans Cyber Simulation Exercise this past summer with the goal of exercising the capabilities of a group of health plans to respond to a wide-scale cyber attack. The CyberRX exercise brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement.

As a result of CyberRX, HITRUST outlined a number of recommendations, including the need for healthcare organizations to develop incident response integration with third parties.

“CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach,” HITRUST stated.

HITRUST also recommends that organizations use their incident response plans and that those plans should include information about how to engage insurers and information about insurers’ cyber insurance claims processes.

“While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency,” HITRUST stated.

And the recommendations included sharing threat intelligence and involving law enforcement at the right time. According to HITRUST’s report, several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.

“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached,” HITRUST CEO Dan Nutkis said in a statement. “Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy.”

Sara Hall, chief information security officer for HHS, said, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry.”

Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.