Cybersecurity Drill: Lessons Learned

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/cybersecurity-drill-lessons-learned-a-6769

A recent inaugural healthcare cybersecurity drill offers a number lessons,
including that many organizations need to improve processing cyberthreat
intelligence and sharing that information both internally and externally.

The drill, dubbed CyberRX, was conducted on April 1 by the Department of
Health and Human Services and the Health Information Trust Alliance, or
HITRUST, best known for establishing the Common Security Framework. That
framework is designed for use by any organization that creates, accesses,
stores or exchanges personal health and financial information. Consulting
firm Booz Allen Hamilton served as the "observer" of the drill.

A second CyberRX drill is planned for summer (see HHS CISO on Healthcare
Cybersecurity).

Beyond needing to improve sharing information within their internal IT
teams, the drill showed that organizations varied widely in their
preparedness to communicate and share cyberthreat information with other
internal departments, including legal, privacy, clinical and business
operations, as well as external business partners, says Jim Koenig,
principal and global leader for commercial privacy, cybersecurity and
incident response for health at Booz Allen Hamilton. His comments came
during an April 21 HITRUST media briefing.

Although organizations want the freedom to collaborate during a crisis,
Koenig says, many feel a "chill" of potential legal restrictions that
prevent them from sharing cyberthreat intelligence across the healthcare
ecosystem or uncertainty about when to engage law enforcement, he says.

The four cybersecurity exercises conducted over a seven-hour period
included an exercise involving a "compromised" medical device and also a
simulated attack involving a state health insurance exchange connected to
the HHS' HealthCare.gov federally facilitated insurance marketplace, says
Kevin Charest, CISO of HHS.

Other participants in the CyberRX exercise included: athenahealth,
Children's Medical Center of Dallas, Cooper Health, CVS Caremark, Express
Scripts, Health Care Services Corp, Highmark, Humana, United Health Group
and WellPoint.

Biggest Weakness

The exercises revealed that the biggest cybersecurity weakness within the
healthcare sector is not related to the industry's technology
implementations, but rather its ability "to coordinate and collaborate
cybersecurity information among a myriad of healthcare companies that
include smaller providers, diagnosis centers, medical device makers,
hospital systems to payers," says Roy Mellinger, vice president of IT
security and CISO at healthcare insurer Wellpoint.

The drill also revealed that smaller organizations, in particular, that
often don't have deep internal cybersecurity resources or collaborative
expertise rely more heavily on guidance that's available from other
organizations, such as HHS or HITRUST, he noted.

Among actions that HITRUST is taking after the first CyberRX exercise is
enhancing its Cyber Threat Intelligence and Incident Coordination Center,
or C3Portal, with additional tools, including some designed to help better
facilitate collaboration among organizations supporting incident response,
says HITRUST CEO Daniel Nutkis.

Heartbleed Bug

The importance of cyberthreat information sharing was illustrated in recent
weeks by the announcement of the Heartbleed bug, Mellinger says.

HITRUST issued an industry cyber-alert listing companies affected by the
OpenSSL vulnerability and where software patches were available to address
the issues, Nutkis notes.

In other Heartbeed-related developments, Charest explained at the briefing
why HHS issued a notice on HealthCare.gov, the website for the federally
facilitated health insurance marketplace under the Affordable Care Act,
instructing consumers to change their passwords.

The notice on the HealthCare.gov site says, "HealthCare.gov uses many
layers of protections to secure your information. While there's no
indication that any personal information has ever been at risk, we have
taken steps to address Heartbleed issues and reset consumers' passwords out
of an abundance of caution."

The move came as "a precaution," Charest says (see HealthCare.gov: Change
Passwords). "We followed the prescribed best practice as an abundance of
precaution," he says. Passwords onHealthCare.gov have been invalidated and
consumers will need to reset new passwords by answering "challenge
questions," he says.

In a statement provided to Information Security Media Group the morning of
April 21, Charest said, "There has been no effect from Heartbleed for
HealthCare.gov. This is simply following the best practices established,
which include a number of steps such as patching, reinstalling encryption
keys, and end user password resets."

Charest notes that while Akamai, a provider of content to HealthCare.gov,
has had to address its own OpenSSL issues as a result of the Heartbleed
bug, OpenSSL is not used on HealthCare.gov.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!