FRISCO, Texas & NEW YORK--(BUSINESS WIRE)--The Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services, in coordination with the U.S. Department of Health and Human Services (HHS), revealed today the results of the healthcare industry’s first simultaneous cyberattack simulation exercise for health plans, and named five top actions health plans can take to improve their ability to respond effectively when an incident occurs.
Recent events have raised awareness of cyber threats and attacks targeting health plans. In response, the HITRUST CyberRX 2.0 Health Plan exercise (CyberRX) brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement for industry-wide cyber resilience.
“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached. Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy,” said HITRUST CEO, Dan Nutkis.
Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making. During a crisis, leaders must be prepared to act, even when technical information is incomplete. The exercise also revealed several specific actions health plans can take to improve incident response capabilities:
1. Establish an incident-response ecosystem. CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach. The time to develop trust and incident response integration is before an incident happens, not after.
2. Share threat intelligence. As the CyberRX exercise unfolded, the HITRUST Cyber Threat Exchange (CTX) shared critical intelligence, yet participants had difficulty sharing their own threat indicators of compromise (IOCs) with the CTX, and with HHS. This validated a recent study of the HITRUST CTX, which found that while 85% of organizations use IOCs, only 5% of organizations share their IOCs.
3. Know the cyber insurance claims processes. Simulation participants expressed uncertainty about how to quantify losses and submit insurance claims, and what to expect once an incident has been reported. Each insurer is likely to have distinct processes. Incident response plans should include information on how to engage insurers.
4. Use the incident response plan. Only two out of the twelve participating organizations referenced their incident response plans during the exercise. While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency.
5. Involve law enforcement at the right time. Several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.
Ray Biondo, chief information security officer at Health Care Services Corporation, says that recurring incident response drills are essential in minimizing cyberattack impact. “Cyberattacks can strike with little forewarning and unfold in ways that no one can predict. There’s no such thing as a pre-scripted response, but every time an organization practices incident response, they get better at anticipating the issues they may face.”
“As we see in other industries, having a plan on paper is a basic requirement, but putting it to the test is where organizations gain the muscle memory needed to be effective in a crisis. CyberRX demonstrates the growing commitment of the health insurance industry to cyber resilience,” said John Gelinne, a director for Deloitte Advisory Cyber Risk Services, who led the simulation from a virtual command center.
According to Nutkis, this and other CyberRX exercises help HITRUST better understand what the healthcare industry expects from the HITRUST CSF, the industry’s privacy and security controls framework that provides cybersecurity guidance and synchronizes a wide range of regulations and best practices, and how it can improve the HITRUST CTX, the industry’s most active threat intelligence sharing platform that drives collaboration between government and the private sector.
From the government perspective, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry,” said Sara Hall, chief information security officer for HHS.
CyberRX Methodology
The CyberRX 2.0 Health Plan exercise brought together participants representing business, operations, technology, security, privacy, communications, legal, compliance, and crisis management teams from within each organization. During a four-hour session, participants responded to systematically delivered cyber incident simulation content, discussing necessary response actions and key decisions to be made. In this scenario, a threat actor compromised the systems of a fictitious health plan company, gaining access to member protected health information (PHI) and initiating fraudulent health claims on a mass scale.
The CyberRX program is an ongoing series of exercises to test the preparedness of healthcare organizations against attacks and attempts to disrupt critical U.S. healthcare operations and infrastructure. It is overseen by a steering committee comprising representatives from the healthcare industry, HITRUST, and HHS. Over 1,000 healthcare organizations have already taken part in CyberRX 2.0 Level 1 exercises so far in 2015.
The preliminary report, titled “HITRUST CyberRX: Health Plans Cyber Simulation Exercise Summer 2015, After Action Report,” includes more detailed findings and recommendations. The report can be downloaded at https://hitrustalliance.net/documents/cyber_intel/cyberrx/HITRUST_CyberRX_HP_2015_AAR_Deloitte_FINAL_12012015.pdf.
About HITRUST
Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST - in collaboration with public and private healthcare technology, privacy and information security leaders - has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.
HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.
About Deloitte Advisory Cyber Risk Services
Deloitte Advisory’s Cyber Risk Services help complex organizations more confidently pursue their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Cyber Risk Services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, Secure. Vigilant. Resilient.™ programs that better align security investments with business risk priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
All product and company names herein may be trademarks of their respective owners.
