Health Care Industry Exercise to Test Cyber-Defenses
The U.S. Department of Health and Human Services (DHHS) hopes to give the health care industry some experience in warding off cyber-attacks by staging two joint exercises this year.
The war games, dubbed CyberRX, will give health care providers, health plans, hospitals, drug manufacturers and government agencies practice in detecting and responding to attacks. The DHHS and the Health Information Trust Alliance (HITRUST) will measure the performance of industry participants and the group created by HITRUST to facilitate information sharing.
"Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyber attacks," Kevin Charest, chief information security officer for the DHHS, said in a statement. "This exercise will generate valuable information we can use to improve our joint preparedness."
Cyber-security exercises are a common way for industries to open the lines of communication between security teams and the groups set up to act as information hubs. In addition, participants can determine if their policies and procedures fully account for common attack scenarios.
The health care industry has been slow to adjust to the reality of cyber-attacks. Information-security budgets are tight, and more than 430,000 health care groups and companies exist in the United States, according to Daniel Nutkis, CEO and co-founder of HITRUST.
Yet, working together, the health care industry can create a defensive network that helps all participants, he told eWEEK.
"With our model of community defense, information sharing and collaboration are important pieces of the puzzle," he said.
HITRUST initially created the information-sharing center—known as the Cyber Threat Intelligence and Incident Coordination Center, or C3—to handle information on attacks and malware threats. The results of CyberRX will be used to hone the group's methods of sharing the data.
Attackers have been hitting the health care industry in much the same way they have attacked retailers in search of credit-card and financial information. Yet, private patient information has also been targeted and likely will be increasingly targeted in the future, according to last year's Verizon Data Breach Investigations Report.
While the DHHS requires health care providers to report data breaches involving 500 or more records, the actual number of breaches may be underreported, Nutkis said.
"Organizations might not be sophisticated enough to know that they have been breached," he said. "Where they are reporting, it is likely accurate, but they might not always know."