Leading Health Plan Organizations Learn to Mitigate Breach Exposure by Participating in Industry-Wide Cyberattack Simulation Exercise

Leading Health Plan Organizations Learn to Mitigate Breach Exposure by Participating in Industry-Wide Cyberattack Simulation Exercise

The Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services, in coordination with the U.S. Department of Health and Human Services (HHS), revealed the results of the healthcare industry’s first simultaneous cyber attack simulation exercise for health plans, and named five top actions health plans can take to improve their ability to respond effectively when an incident occurs.

Recent events have raised awareness of cyber threats and attacks targeting health plans. In response, the HITRUST CyberRX 2.0 Health Plan exercise (CyberRX) brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement for industry-wide cyber resilience.

“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached. Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy,” said HITRUST CEO, Dan Nutkis.

  1. Establish an incident-response ecosystem. CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach. The time to develop trust and incident response integration is before an incident happens, not after.
  2. Share threat intelligence. As the CyberRX exercise unfolded, the HITRUST Cyber Threat Exchange (CTX) shared critical intelligence, yet participants had difficulty sharing their own threat indicators of compromise (IOCs) with the CTX, and with HHS. This validated a recent study of the HITRUST CTX, which found that while 85% of organizations use IOCs, only 5% of organizations share their IOCs.
  3. Know the cyber insurance claims processes. Simulation participants expressed uncertainty about how to quantify losses and submit insurance claims, and what to expect once an incident has been reported. Each insurer is likely to have distinct processes. Incident response plans should include information on how to engage insurers.
  4. Use the incident response plan. Only two out of the twelve participating organizations referenced their incident response plans during the exercise. While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency.
  5. Involve law enforcement at the right time. Several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.

Ray Biondo, chief information security officer at Health Care Services Corporation, says that recurring incident response drills are essential in minimizing cyberattack impact. “Cyberattacks can strike with little forewarning and unfold in ways that no one can predict. There’s no such thing as a pre-scripted response, but every time an organization practices incident response, they get better at anticipating the issues they may face.”

“As we see in other industries, having a plan on paper is a basic requirement, but putting it to the test is where organizations gain the muscle memory needed to be effective in a crisis. CyberRX demonstrates the growing commitment of the health insurance industry to cyber resilience,” said John Gelinne, a director for Deloitte Advisory Cyber Risk Services, who led the simulation from a virtual command center.

According to Nutkis, this and other CyberRX exercises help HITRUST better understand what the healthcare industry expects from the HITRUST CSF, the industry’s privacy and security controls framework that provides cybersecurity guidance and synchronizes a wide range of regulations and best practices, and how it can improve the HITRUST CTX, the industry’s most active threat intelligence sharing platform that drives collaboration between government and the private sector.

From the government perspective, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry,” said Sara Hall, chief information security officer for HHS.

CyberRX Methodology

The CyberRX 2.0 Health Plan exercise brought together participants representing business, operations, technology, security, privacy, communications, legal, compliance, and crisis management teams from within each organization. During a four-hour session, participants responded to systematically delivered cyber incident simulation content, discussing necessary response actions and key decisions to be made. In this scenario, a threat actor compromised the systems of a fictitious health plan company, gaining access to member protected health information (PHI) and initiating fraudulent health claims on a mass scale.

The CyberRX program is an ongoing series of exercises to test the preparedness of healthcare organizations against attacks and attempts to disrupt critical U.S. healthcare operations and infrastructure. It is overseen by a steering committee comprising representatives from the healthcare industry, HITRUST, and HHS. Over 1,000 healthcare organizations have already taken part in CyberRX 2.0 Level 1 exercises so far in 2015.

The preliminary report, titled “HITRUST CyberRX: Health Plans Cyber Simulation Exercise Summer 2015, After Action Report” includes more detailed findings and recommendations.

back to top