A dozen health care insurance firms that cover 60 percent of the U.S. population took part in CyberRX 2.0, a cyber exercise aimed at evaluating the organizations' response and minimizing the impact of a data breach, participants said on Dec. 4.
The exercise simulated an attack that attempted to profit from the submission of forged health care claims and to steal personal health information. Both the Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services managed the exercise, pushing new information—or “injects”—to the more than 250 participating professionals.
The health care firms were not graded on their response. Instead the exercises were used to point out problem areas and demonstrate where health plans needed to improve their cyber-response capabilities, Daniel Nutkis, CEO of the Health Information Trust Alliance (HITRUST), said on a conference call with members of the press.
“Although we focus on getting organizations to put strong controls in place, breaches can and will occur,” Nutkis said. “These exercises help organizations and the industry as a whole better prepare and respond, and are a critical component of an organization’s and the industry’s cyber-risk mitigation efforts.”
HITRUST launched the CyberRX program in January 2014 with the U.S. Department of Health and Human Services as a way to evaluate the U.S. health care sector’s ability to defend against attacks and prevent disruptions to their operations. HITRUST updated the program earlier this year to involve a greater number of organizations, including health plans. More than 1,000 organizations have taken part in the exercises this year, Nutkis said.
Health care firms have been one of the most public targets of cyber-attackers, because breaches are required to be reported to the U.S. Department of Health and Human Services. In February, health insurance provider Anthem suffered a significant breach, with information on 80 million patients put at risk, after its systems were compromised – allegedly by Chinese attackers. In August 2014, an attack on health care provider Community Health Systems resulted in the theft of information on 4.5 million patients.
In the CyberRX Health Plan exercise, the industry had to deal with attackers who targeted the laptop of an employee who worked for a third-party vendor, not the actual health care insurance providers. The scenario has become increasingly common, with significant breaches of large companies -- such as Target and the U.S. Office of Personnel Management -- exploiting vulnerabilities in third-party partners. Using information on the laptop, the intruders conducted two simultaneous attacks to carry out claims fraud and steal data.
“When the hackers owned the laptop, they were able to reverse engineer the way that claims were submitted through the claims processing system,” John Gelinne, director of Deloitte Advisory Cyber Risk Services, said during the conference. “They then trickled a few claims, and when they realized it was effective and working, they barraged the system.”
The attackers also used their access to the network to steal personal health information, Gelinne said. Deloitte Advisory Cyber Risk Services created the scenario for HITRUST.
“We have all learned that breaches are going to occur, as bad actors and threat actors become more sophisticated,” Gelinne said. “The sophistication of the breach was very new and unknown to the participants.”
The exercises have helped HITRUST speed its ability to pass along information to the health care industry, Nutkis said. Before the exercise, the information-sharing group did not get the right details of an attack—the so-called indicators of compromise—nor did they get the details in a timely manner, he said.
"It happens now automatically, in a matter of minutes, and that really does solve a problem," Nutkis said.
The attack scenario exposed some interesting peculiarities of the health care industry. The first signs of the simulated attack, for example, came from call centers, according to Deloitte’s Gelinne.