First CyberRX Exercise Outlines Areas for Improvement for Healthcare Organizations, DHHS and HITRUST

  First CyberRX Exercise Outlines Areas for Improvement for Healthcare
  Organizations, DHHS and HITRUST

  HITRUST Highlights Steps to Support Health Industry against Cyber Threats

Business Wire

FRISCO, Texas -- April 21, 2014

HITRUST, in coordination with the U.S. Department of Health and Human Services
(DHHS), revealed today the results of the healthcare industry’s first cyber
attack simulation, CyberRX. CyberRX is a series of industry-wide exercises
used to evaluate the response and threat preparedness of healthcare
organizations against attacks and attempts to disrupt U.S. healthcare
operations. The unanimous findings from the exercise are:

  *Organizations that participate incyber exercises are more prepared for a
    cyber attack, regardless of the maturity and comprehensiveness of their
    information security program.
  *Organizations’ preparedness benefits from improved threat intelligence
    processing capabilities and increased engagement with stakeholders.
    Organizations varied in their preparedness for processing threat
    intelligence or with communicating and engaging other stakeholders
    internally and externally; this issue extends beyond IT to legal/privacy,
    crisis management, business/clinical operations, management and external
    business partners; additionally organizations vary in their appetite for
    and ability to process threat intelligence.
  *Organizations call for greater “freedom” to communicate and collaborate
    during a cyber crisis and to have a view across the healthcare ecosystem,
    including common vendors and partners - despite potential legal
    restrictions and liabilities; participants also had varied opinions on how
    best to engage law enforcement.
  *Incident response coordination and collaboration capabilities are crucial
    and the HITRUST Cyber Threat Intelligence and Incident Coordination Center
    (C^3) capabilities should be enhanced to better support broader and more
    effective collaboration.

An additional finding is that today’s model of a generic national
cybersecurity framework for critical infrastructure is not sufficient to
support healthcare organizations in the current cyber threat landscape.

“The growing adoption of new and connected health information technologies and
widespread use of mobile devices continue to increase the industry’s exposure
to potential attacks,” said CyberRX observer Jim Koenig, Principal, Global
Leader, Commercial Privacy, Cybersecurity and Incident Response for Health,
Booz Allen Hamilton. “The simulation will help better prepare organizations in
the healthcare industry against sophisticated threat actors, and assist
leaders in identifying organizational vulnerabilities and opportunities for
industry cooperation. We believe thisindustry-specific approach, if not
already being used, is a model from which other critical infrastructure
sectors can learn and benefit.”

In fact, the recent “Heartbleed” vulnerability in the popular OpenSSL
cryptographic software library presented a valuable real world test of the
benefits of these exercises. More than one CyberRX exercise participant has
indicated they leveraged lessons learned from the CyberRX exercise to react
quickly and more effectively address the issues.

Another important finding of the Spring 2014 CyberRX is the desire for more
industry and company-specific exercises. Healthcare organizations will use
these to help evaluate their programs, make internal written procedures come
alive, and finely tune response processing and the choreography of
communications between internal departments and external industry and
government stakeholders.

CyberRX attack scenarios included medical devices, health information systems,
health exchanges and Participants of the CyberRX exercise
included: athenahealth, Children’s Medical Center of Dallas, Cooper Health,
CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana,
United Health Group, U.S. Department of Health and Human Services and

“The initial exercise, although limited in number of participants, is a
significant step in establishing an industry CyberRX exercise playbook and
formal program; identifying areas where organizations should focus;
identifying opportunities for greater collaboration and information sharing
between organizations, HITRUST and government; and identifying what gaps exist
and where industry needs additional support to better prepared,” said Kevin
Charest, Chief Information Security Officer, U.S. Department of Health and
Human Services.

HITRUST’s Key Steps in Health Industry Cybersecurity Roadmap

HITRUST has been dedicated to helping organizations safeguard health
information with the development of the HITRUST Common Security Framework
(CSF), CSF Assurance program and C^3. HITRUST is committed to continuing its
support of the healthcare industry by expanding and enhancing its programs and
services to ensure healthcare organizations of all sizes can effectively
mitigate the risks posed by cyber threats.

In response to the CyberRX findings, HITRUST has established a “Health
Industry Cybersecurity Roadmap” which includes:

  *Linking HITRUST C^3 cyber threat intelligence reports to CSF Controls,
    evaluating current control guidance per threat report and publishing
    supplemental guidance, if required
  *Enhancing and expanding the collaboration and incident response
    capabilities of HITRUST C^3
  *Supporting twice yearly CyberRX exercises

“The exercise provided valuable information to help us identify gaps and
deficiencies in the current programs we provide to industry. The
recommendations are already being implemented, such as ensuring cyber threat
reports are coded to CSF controls and the CSF guidance effectively addresses
cyber threats targeted at industry – a powerful combination that, when
aligned, enables the most timely, relevant and effective framework for
cybersecurity,” said Daniel Nutkis, CEO, HITRUST.

Mr. Nutkis continued, “Also benefiting from the exercise is the HITRUST C^3,
which has grown into the most effective and active information sharing and
analysis organization serving the healthcare industry, as we now have better
insights into how organizations of different sizes and sophistication want to
engage, consume and share cyber threat intelligence and incident information.”

CyberRX Methodology

These Cyber exercises are conducted in partnership with HITRUST, U.S.
Department of Health and Human Services (DHHS) and healthcare industry
organizations. The inaugural Spring 2014 exercise was held on April 1, 2014
and was a full-day interactive simulation designed by a steering committee of
industry leaders and observed by Booz Allen Hamilton. Participants included
providers, health plans, prescription benefit managers, pharmacies, HITRUST C3
and DHHS.

The exercises examined both broad and segment-specific scenarios targeting
information systems, medical devices and other essential technology resources
of the healthcare industry. The steering committee in coordination with Booz
Allen Hamilton developed a CyberRX Exercise Playbook that outlined the rules,
responsibilities and scenarios of the exercise and organizational referees.
Objectives included:

  *Enhance awareness of cyber threats to the healthcare services industry
  *Explore responses to maintain operations in face of complex risks
  *Understand systemic risk to the healthcare system and patients due to
  *Promote information sharing about cyber threats and vulnerabilities among
    other healthcare organizations and government

The preliminary report, titled “CyberRX – Health Industry Cyber Threat
Exercise Spring 2014 – Call for Action and Collaboration,” includes more
detailed findings and recommendations and can be downloaded at The next CyberRX exercise is
scheduled for Summer 2014, which will include implementation of some of the
recommendations outlined in this report. For more information or to
participate in the Summer 2014 CyberRX exercise please


The Health Information Trust Alliance (HITRUST) was born out of the belief
that information protection should be a core pillar of, rather than an
obstacle to, the broad adoption of health information systems and exchanges.
HITRUST, in collaboration with healthcare, business, technology and
information privacy, risk and security leaders, has established a number of
programs to support any and all organizations that create, access, store or
exchange personal health and financial information. HITRUST is supporting the
industry through its framework, assurance program, cyber center, risk
management tools, education and leadership. It is also driving the widespread
confidence in the industry’s safeguarding of health information through
awareness, education, advocacy and other outreach activities. For more
information, visit

All product and company names herein may be trademarks of their respective


Kesselring Communications for HITRUST
Leslie Kesselring, 503-358-1012 or
Press spacebar to pause and continue. Press esc to stop.