Attack exercise reveals threat-sharing roadblock within health orgs
Organizations expressed concerns about communicating threat information to team members outside IT.
Health care participants in an industry wide attack exercise expressed concerns about effectively communicating threat intelligence within their organization.
On Monday, the results of the “CyberRX” (PDF) exercises were released by the Health Information Trust Alliance (HITRUST), a group that teamed up with the U.S. Department of Health and Human Service (HHS) to carry out the preparedness initiative.
The inaugural exercise, held on April 1, was observed by Booz Allen Hamilton, and included participants such as UnitedHealth Group, WellPoint, Humana, Highmark, Health Care Service Corporation (HCSC), the Children's Medical Center in Dallas, CVS Caremark and Express Scripts.
For the one-day event, organizations faced responding to randomly selected cyber incident scenarios: one, where a major username and password breach occurs impacting patients, doctors and nurses throughout the health care industry; another, in which three major health plan providers' networks are infiltrated, giving intruders full access to customer data; or two other events, involving an information leak and a potential insider threat case.
In the attack exercises, many organizations (which had mature enough programs to process and identify potential threats) still struggled with delivering threat information to internal staff, which weren't IT, the findings revealed. Sharing necessary information with legal or privacy teams, crisis management, business operations, or other stakeholders in management positions, for instance, turned out to be a roadblock for health care organizations.
In response to the simulated attacks, participants suggested that more formalized procedures be created, so that responsibilities and effective communication of threat information are clearly laid out among staff. In the report, participating organizations also called for the enhancement of HITRUST's Cyber Threat Intelligence and Incident Coordination Center (C3) to facilitate industry collaboration and response to threats.
On Monday, Roy Mellinger, WellPoint's vice president and CISO, said in a teleconference on the CyberRx findings, that the “weakness isn't necessarily on technology implementations, it's the ability to coordinate and collaborate across the myriad of participants in healthcare.”
Mellinger later added that coordinating intelligence sharing was a critical task for companies of every size, but particularly for smaller health care organizations.
“Large corporations like Wellpoint have mature systems and seasoned staff. Smaller organizations do not. The challenge is [in] how to coordinate and collaborate across them all. HITRUST C3 allows multiple entities to get the information they need to prepare and respond, regardless of size,” he said.