HITRUST: Healthcare Organizations Need to Engage With Third Parties to Improve Cyber Incident Readiness
Following a cyber attack simulation for health plans conducted this past summer, Frisco, Texas-based Health Information Trust Alliance (HITRUST), an industry working group, revealed the results of the exercise and recommended five top actions for healthcare organizations to improve their ability to respond effectively when a cybersecurity incident occurs.
In coordination with Deloitte Advisory Cyber Risk Services and the U.S. Department of Health and Human Services (HHS), HITRUST conducted the CyberRX Health Plans Cyber Simulation Exercise this past summer with the goal of exercising the capabilities of a group of health plans to respond to a wide-scale cyber attack. The CyberRX exercise brought together 250 individuals from 12 health plans across the U.S. to test their cyber incident readiness and identify areas for improvement.
As a result of CyberRX, HITRUST outlined a number of recommendations, including the need for healthcare organizations to develop incident response integration with third parties.
“CyberRX demonstrated that many organizations remain reluctant to engage third parties in the midst of an incident. However, as business relationships with third parties have become more technically integrated, the likelihood increases that a third party will be the source of, or be impacted by, a breach,” HITRUST stated.
HITRUST also recommends that organizations use their incident response plans and that those plans should include information about how to engage insurers and information about insurers’ cyber insurance claims processes.
“While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information, and adhering to roles and responsibilities defined in the plan, can improve efficiency,” HITRUST stated.
And the recommendations included sharing threat intelligence and involving law enforcement at the right time. According to HITRUST’s report, several simulation participants engaged law enforcement before evidence of a crime had been established. Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process.
“It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached,” HITRUST CEO Dan Nutkis said in a statement. “Health plans have made considerable gains over the past several years to strengthen incident response capabilities, but leading companies are aware that regular simulation exercises drive iterative improvements over time. These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s cyber risk mitigation strategy.”
Sara Hall, chief information security officer for HHS, said, “These exercises demonstrate the critical role public-private partnerships play in the incident response process, and as a result HHS is able to better understand how it can support industry.”
Deloitte Advisory’s Cyber Risk Services designed, executed and observed the CyberRX exercises, concluding with the creation of the exercises' after-action report. A primary observation from CyberRX was that incident response can be strengthened through better integration of business and technical functions. Participants often focused on forensic analysis apart from assessing business impact, and lack of frequent cross-function communication hampered decision-making.
