Looking to boost preparedness, an industry-wide effort, dubbed CyberRX, will run simulations to evaluate the industry’s response and threat preparedness against attacks.
The exercises will be conducted in partnership with the US Department of Health and Human Services (HHS) and major healthcare industry companies, and will be led by HITRUST. The plan is to include the participation of providers, health plans, prescription benefit managers, pharmacies and pharmaceutical manufacturers, and HHS, in exercises that will examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry.
“As cyber threats continue to increase and the number of attacks targeted at healthcare organizations rise, industry organizations are seeking useful and actionable information with guidance that augments their existing information security programs without duplication or complication,” said Daniel Nutkis, CEO at HITRUST, in a statement. “CyberRX will undoubtedly provide invaluable information that can be used by organizations to refine their information protection programs and will enable HITRUST C3 to better serve the healthcare industry and support public and private industry partnerships.”
HITRUST plans to coordinate two CyberRX exercises for now. The initial exercise will take place over a two-day period this March, with the second one following in the summer. The Spring 2014 CyberRX exercise will include 12 organizations, predominantly comprised of Summit participating organizations, such as Children's Medical Center Dallas, CVS Caremark, Express Scripts, Health Care Service Corp, Highmark, Humana, UnitedHealth Group and WellPoint. HITRUST is currently soliciting participation for the Summer 2014 CyberRX exercise.
In addition to aiding organizations in evaluating their own processes, the March exercise will focus on the following objectives:
- Developing a better understanding of the healthcare industry’s cyber threat response readiness
- Measuring the effectiveness of HITRUST C3 in supporting the healthcare industry and opportunities for improvement
- Testing the coordination with HHS relating to cyber threats and the healthcare industry response
- Documenting threat and attack scenarios of value for future exercises engaging additional healthcare industry organizations and in support of industry preparedness
“I feel strongly that these exercises are needed as a crucial step in the healthcare industry’s continued maturity around cyber-threat preparedness and response,” said Roy Mellinger, vice president and chief information security officer at WellPoint. “It will allow organizations to evaluate and improve their processes and identify gaps in what is needed industry-wide and from government.”
CyberRX findings will be analyzed and used to identify areas for improvement in the coordination of the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3); with security and incident response programs; and in information-sharing between healthcare organizations, HITRUST and government agencies. These findings of the first exercise will be summarized into a report distributed to the industry and presented at HITRUST 2014 in April 2014.
“We have been coordinating and collaborating with HITRUST to enhance the resources available to the healthcare industry,” said Kevin Charest, chief information security officer at HHS, in a statement. “Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyber-attacks. This exercise will generate valuable information we can use to improve our joint preparedness.”