HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness

December 4, 2015
by Heather Landi
| Reprints

Following a cyber attack simulation for health plans conducted this past summer, Frisco, Texas-based Health Information Trust Alliance (HITRUST), an industry working group, revealed the results of the exercise and recommended five top actions for healthcare organizations to improve their ability to respond effectively when a cybersecurity incident occurs.

In coordination with Deloitte Advisory Cyber Risk Services and the U.S. Department of Health and Human Services (HHS), HITRUST conducted the CyberRX Health Plans Cyber Simulation Exercise this past summer with the goal of exercising the capabilities of a group of health plans to respond to a wide-scale cyber attack. The CyberRX exercise brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement.

As a result of CyberRX, HITRUST outlined a number of recommendations, including the need for healthcare organizations to develop incident response integration with third parties.

“CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach,” HITRUST stated.

HITRUST also recommends that organizations use their incident response plans and that those plans should include information about how to engage insurers and information about insurers’ cyber insurance claims processes.

“While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency,” HITRUST stated.

And the recommendations included sharing threat intelligence and involving law enforcement at the right time. According to HITRUST’s report, several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.

“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached,” HITRUST CEO Dan Nutkis said in a statement. “Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy.”

Sara Hall, chief information security officer for HHS, said, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry.”

Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.