Current Cybersecurity Framework Insufficient Against Attacks
April 22, 2014 in News
Health care organizations could do more to prepare for and coordinate against unexpected cyberattacks, according to a new report on cybersecurity, Clinical Innovation and Technology reports (Pedulli, Clinical Innovation and Technology, 4/21).
Background on CyberRX Project
In January, HHS and the Health Information Trust Alliance announced a partnership on a cybersecurity initiative, called CyberRX, that will simulate cyberattacks on health care organizations and then evaluate how the industry responds to such threats.
The project involves participants from 12 health care organizations, including:
- Children’s Medical Center in Dallas;
- CVS Caremark;
- Express Scripts;
- Health Care Service;
- UnitedHealth Group; and
- WellPoint (iHealthBeat, 1/13).
Jim Koenig — principal, global leader, commercial privacy, cybersecurity and incident response for health at Booz Allen Hamilton, which observed CyberRX — said the project aims to:
- Build awareness of cyberattacks;
- Explore how organizations react and stay operational in the face of complex risks;
- Promote information sharing about the threats; and
- Understand systematic risks to patients related to disruptions.
Results of CyberRX Simulation
The first cyberattack simulation occurred on April 1 (Clinical Innovation and Technology, 4/21).
The attack targeted:
- Health information exchanges;
- Health information systems; and
- Medical devices.
Overall, the test found that organizations’ preparedness varied across multiple areas, including:
- Ability to process threat intelligence;
- The effect on business and clinical operations;
- The effect on outside business partners; and
- IT-related issues (Conn, Modern Healthcare, 4/21).
During a press conference, Koenig highlighted five main findings from the exercise:
- Organizations that take part in cybersecurity exercises are more prepared for cyberattacks, regardless of their information security programs;
- Preparedness against cyberattacks improves from increased data processing and coordination with other stakeholders;
- Incident response coordination capabilities are crucial and should be increased;
- Organizations desire more abilities to freely communicate and collaborate during cyberattacks; and
- The generic national cybersecurity framework for crucial infrastructure is not adequate to support health care organizations against today’s cyber threat landscape (Clinical Innovation and Technology, 4/21).