Health Care Sector to Test Reflexes for Cyber Attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2014/01/health-care-sector-test-reflexes-cyber-attack/76676/

The health sector, in partnership with the federal government, will conduct
simulated attacks against health care networks this spring to test their
vulnerability to hackers, industry officials announced on Monday.

The simulation, scheduled for March, marks the first time insurers,
hospitals, pharmaceutical manufacturers, and the Health and Human Services
Department will run a fire drill in concert. Health care has been named one
of 17 critical infrastructure sectors that, if disrupted by a cyberattack,
could have far-reaching consequences for the nation.

HHS Chief Information Security Officer Kevin Charest said in a statement,
“Our goal for the exercises is to identify additional ways that we can help
the industry be better prepared for and better able to respond to
cyberattacks. This exercise will generate valuable information we can use
to improve our joint preparedness.”

It is unclear whether the event will test the reflexes of HealthCare.gov,
the problem-plagued online health insurance exchange developed by the Obama
administration under the Affordable Care Act.

The Health Information Trust Alliance, a medical information technology
advocacy group, will coordinate the event.

The medical industry already suffers from data breaches that have
jeopardized patient privacy and facilitated fraud. According to a 2012
Ponemon Institute study, 94 percent of health care organizations
experienced at least one data breach during the previous two years.

The aim of this spring’s simulated hacking exercise, dubbed CyberRX, is to
discover weaknesses in preparedness and spot areas where information
sharing could be improved.

HITRUST has stood up an incident response center that circulates
intelligence about threats among industry specialists, as well as HHS and
Homeland Security Department officials. The March drill is partly aimed at
determining the efficiency of that model.

Participants will include Children's Medical Center Dallas, CVS Caremark
and Express Scripts, as well as numerous insurance providers including
Health Care Service Corp., Humana, UnitedHealth Group, and WellPoint.

A second experiment is planned for this summer.

“As cyber threats continue to increase and the number of attacks targeted
at healthcare organizations rise, industry organizations are seeking useful
and actionable information with guidance that augments their existing
information security programs without duplication or complication,” HITRUST
Chief Executive Officer Daniel Nutkis said in a statement. “CyberRX will
undoubtedly provide invaluable information that can be used by
organizations to refine their information protection programs."

The healthcare industry is not the first critical infrastructure sector to
check its cyber hygiene.

Last November, in California, almost 10,000 electrical engineers,
cybersecurity specialists, utility executives and FBI agents spent 48 hours
with a fake adversary who tried to turn out the lights across America, the
New York Times reported. The previous month, the financial sector ran a
simulation -- its second since 2011 -- called "Quantum Dawn 2" that showed
resiliency but also areas where the industry can do better, according to
USA Today. The six-hour trial run herded more than 500 people and more than
50 organizations, including Wall Street banks, stock exchanges, utilities,
DHS, the FBI and the Treasury Department.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.