CyberRX: First industry-wide healthcare cyber attack exercise

HITRUST will lead an industry-wide effort to conduct exercises to simulate cyber attacks on healthcare organizations, named CyberRX. The results will be used to evaluate the industry’s response and threat preparedness against attacks and attempts to disrupt U.S. healthcare industry operations.

These exercises will be conducted in partnership with the U.S. Department of Health and Human Services (DHHS) and major healthcare industry companies. The initial exercise will take place over a two-day period in Spring 2014, and the second one will take place in Summer 2014.

CyberRX will include the participation of providers, health plans, prescription benefit managers, pharmacies and pharmaceutical manufacturers, and DHHS. The exercises will examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry.

Findings will be analyzed and used to identify areas for improvement in the coordination of the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3); with security and incident response programs; and in information sharing between healthcare organizations, HITRUST and government agencies.

“We have been coordinating and collaborating with HITRUST to enhance the resources available to the healthcare industry,” said Kevin Charest, CISO, U.S. Department of Health and Human Services. “Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyber attacks. This exercise will generate valuable information we can use to improve our joint preparedness.”

In addition to aiding organizations in evaluating their own processes, the March exercise will focus on the following objectives:

• Developing a better understanding of the healthcare industry’s cyber threat response readiness
• Measuring the effectiveness of the HITRUST C3 in supporting the healthcare industry and opportunities for improvement
• Testing the coordination with the U.S. Department of Health and Human Services relating to cyber threats and the healthcare industry response
• Documenting threat and attack scenarios of value for future exercises engaging additional healthcare industry organizations and in support of industry preparedness.

“As cyber threats continue to increase and the number of attacks targeted at healthcare organizations rise, industry organizations are seeking useful and actionable information with guidance that augments their existing information security programs without duplication or complication,” said Daniel Nutkis, chief executive officer, HITRUST.