Is healthcare ready for cyber attacks?
A cyber threat response drill for healthcare organizations conducted this past month highlighted some serious challenges facing healthcare security professionals.
[See also: Cyberattack alerts coming to healthcare]
Conducted by the U.S. Department of Health and Human Services and the Health Information Trust Alliance, the results of the drill, dubbed CyberRX, underscored the varying levels of preparedness for cyber threats among healthcare organizations, with many organizations failing to adequately communicate cyber threat information internally and to external business partners.
HITRUST, a private, independent company that helped establish the Common Security Framework for healthcare organizations in 2008, recently announced in conjunction with HHS a series of monthly cyber threat briefings to educate healthcare professionals and raise security awareness across the industry.
The good news about the CyberRX drill, according to HITRUST chief executive Daniel Nutkis, is that "many organizations are appropriately addressing cyber risks."
"Some organizations have very mature cyber risk programs that can identify cyber threats and actively engage in collaborative incident response efforts, while others rely more heavily on the compensating controls defined in their information protection framework, such as the CSF," Nutkis said.
Nutkis says HITRUST is linking cyberthreat intelligence reports to CSF controls to ensure the current control guidance is appropriately mitigating the risk and the controls framework is updated on a timely basis.
Many smaller organizations struggle with cyber security because they simply have been focusing on other security priorities.
"It appears organizations with less mature information security programs are taking longer to address cyber threats as historically these threats have not been deemed the higher risk areas, and smaller organizations were still working on disk encryption or DLP, which had a higher number of breaches associated," Nutkis said. "The data now suggests a rethinking of this approach."
One thing organizations can do is become more aware. HITRUST is coordinating with the U.S. Department of Health and Human Services to spread the word about its monthly briefings and as-needed alerts. Organizations can sign up here.
In a keynote speech late last month at a HITRUST conference in Texas, Republican Texas Rep. Michael Burgess emphasized the importance of collaboration within the health IT sector and between health IT enterprises and the federal government.
"One of the key goals of advancing this nation's cyber security is building trust and relationships between the government and the private sector," Burgess said. "I am encouraged when the private sector begins to explore healthcare information protection and utilization of tools such as the HITRUST Common Security Framework and CSF Assurance Program."
Nutkis encouraged all health IT enterprises to put their cyber threat preparation to the test.
"Regardless of your approach to cyber threats, exercises that test organizations' programs, that they can learn and improve, are very beneficial," he said.
Organizations can register to participate in the CyberRX tests here.