Many healthcare organizations still lack a concrete response plan for cyber incidents, the Health Information Trust Alliance (HITRUST) found in a recent series of mock attacks on 12 organizations.
The organization worked in conjunction with Deloitte and the U.S. Department of Health and Human Services to determine the cyberpreparedness of companies in the healthcare industry as part of the CyberRX 2.0 threat exercise program. CyberRX 2.0, grew out of an earlier program – CyberRX 1.0 – that launched in March 2014. The revised program re-launched this year in order to allow greater participation, said Daniel Nutkis, CEO of HITRUST, during a conference call that SCMagazine.com attended.
The mock attack set up a scenario of an employee laptop from a third-party vendor that was stolen by hackers. The hackers were able to use the information in the laptop to reverse-engineer the claims process to file fake claims at the participating health plans and ultimately sell the personal information of the health plans' clients.
Sara Hall, chief information security officer (CISO) of the U.S. Department of Health and Human Services (HHS) said it is incumbent upon the industry and government sectors to work together to provide solutions to advanced cyber threats. “It's best to practice this before you have an actual incident,” she said during a conference call that SCMagazine.com attended.
Noting that cyber attacks are an ongoing reality for healthcare companies, John Gelinne, director of Deloitte Advisory's cyber risk services, explained that “a ‘cleanup on line nine' approach” is no longer sufficient.
Ray Biondo, CISO, Health Care Service Corporation (HCSC) said during the phone call that healthcare organizations need to “train like you fight, and fight like you train.”
“Not everyone is sharing the information they learned as a result of this exercise, said John Gelinne, Deloitte's director of cyber risk services. “It's a small number of players.” Overall 1,000 organizations have been involved in some capacity in the Cyber X 2.0 programs.
The healthcare sector has struggled lately to improve its cybersecurity readiness. In September, the BitSight Insights Industry Benchmark report found that energy/utility and healthcare companies are among the most vulnerable industries.
This week, the CERT Coordination Center (CERT/CC) announced two vulnerabilities in Epiphany's Cardio Server ECG Management System version 3.3, a system used by many healthcare organizations to centralize and manage patient data. The vulnerabilities, discovered by TrustFoundry's Alex Lauerman, allow for attackers to access and modify patient information.