Cybersecurity Drill: Lessons Learned

Healthcare Needs to Improve Information Sharing
Cybersecurity Drill: Lessons Learned

A recent inaugural healthcare cybersecurity drill offers a number lessons, including that many organizations need to improve processing cyberthreat intelligence and sharing that information both internally and externally.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

The drill, dubbed CyberRX, was conducted on April 1 by the Department of Health and Human Services and the Health Information Trust Alliance, or HITRUST, best known for establishing the Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information. Consulting firm Booz Allen Hamilton served as the "observer" of the drill.

A second CyberRX drill is planned for summer (see HHS CISO on Healthcare Cybersecurity).

Beyond needing to improve sharing information within their internal IT teams, the drill showed that organizations varied widely in their preparedness to communicate and share cyberthreat information with other internal departments, including legal, privacy, clinical and business operations, as well as external business partners, says Jim Koenig, principal and global leader for commercial privacy, cybersecurity and incident response for health at Booz Allen Hamilton. His comments came during an April 21 HITRUST media briefing.

Although organizations want the freedom to collaborate during a crisis, Koenig says, many feel a "chill" of potential legal restrictions that prevent them from sharing cyberthreat intelligence across the healthcare ecosystem or uncertainty about when to engage law enforcement, he says.

The four cybersecurity exercises conducted over a seven-hour period included an exercise involving a "compromised" medical device and also a simulated attack involving a state health insurance exchange connected to the HHS' federally facilitated insurance marketplace, says Kevin Charest, CISO of HHS.

Other participants in the CyberRX exercise included: athenahealth, Children's Medical Center of Dallas, Cooper Health, CVS Caremark, Express Scripts, Health Care Services Corp, Highmark, Humana, United Health Group and WellPoint.

Biggest Weakness

The exercises revealed that the biggest cybersecurity weakness within the healthcare sector is not related to the industry's technology implementations, but rather its ability "to coordinate and collaborate cybersecurity information among a myriad of healthcare companies that include smaller providers, diagnosis centers, medical device makers, hospital systems to payers," says Roy Mellinger, vice president of IT security and CISO at healthcare insurer Wellpoint.

The drill also revealed that smaller organizations, in particular, that often don't have deep internal cybersecurity resources or collaborative expertise rely more heavily on guidance that's available from other organizations, such as HHS or HITRUST, he noted.

Among actions that HITRUST is taking after the first CyberRX exercise is enhancing its Cyber Threat Intelligence and Incident Coordination Center, or C3Portal, with additional tools, including some designed to help better facilitate collaboration among organizations supporting incident response, says HITRUST CEO Daniel Nutkis.

Heartbleed Bug

The importance of cyberthreat information sharing was illustrated in recent weeks by the announcement of the Heartbleed bug, Mellinger says.

HITRUST issued an industry cyber-alert listing companies affected by the OpenSSL vulnerability and where software patches were available to address the issues, Nutkis notes.

In other Heartbeed-related developments, Charest explained at the briefing why HHS issued a notice on, the website for the federally facilitated health insurance marketplace under the Affordable Care Act, instructing consumers to change their passwords.

The notice on the site says, " uses many layers of protections to secure your information. While there's no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers' passwords out of an abundance of caution."

The move came as "a precaution," Charest says (see Change Passwords). "We followed the prescribed best practice as an abundance of precaution," he says. Passwords on have been invalidated and consumers will need to reset new passwords by answering "challenge questions," he says.

In a statement provided to Information Security Media Group the morning of April 21, Charest said, "There has been no effect from Heartbleed for This is simply following the best practices established, which include a number of steps such as patching, reinstalling encryption keys, and end user password resets."

Charest notes that while Akamai, a provider of content to, has had to address its own OpenSSL issues as a result of the Heartbleed bug, OpenSSL is not used on

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.