Simulation shows health plans must do more to prepare for cyberattacks
A recently conducted cyberattack readiness exercise revealed that health plans still have work to do in order to properly prepare for the threats they now face, industry and government leaders said during a teleconference Thursday.
The HITRUST CyberRX 2.0 Health Plan exercise, part of a larger cybersecurity readiness initiative, convened 250 individuals from 12 different insurers to test their organizations' preparedness through real-time simulations. Insurers have increasingly been the target of cyberattacks, including a massive breach that compromised the information of 80 million Anthem customers earlier this year.
The exercise revealed that some health plans appeared to lack clear plans and procedures when it came to responding to a cyberattack, John Gelinne, director of Deloitte's Cyber Risk Services, said during the teleconference. He noted that only two out of the 12 health plan participants acknowledged they actually referenced their incident report plans during the exercise.
Also, when confronted with the decision of whether to take down their claims processing platform during the simulation--which would have major business consequences--some plans didn't know who in the organization had authority to do so, he said. What's more, while health plans were happy to receive information from other companies about cybersecurity best practices, not all were as eager to share their own information.
So not only does information sharing across the industry have to improve, but Gelinne also says health plans should continue to regularly conduct cyberattack simulations that allow them to find response capability gaps and "build muscle memory" for how to respond.
Another benefit of the CyberRX exercise was that it increased health plans' awareness about the need for integration across organizations' divisions--from business to legal to IT--for an effective team approach to respond to cyberattacks, said Dan Nutkis, CEO of HITRUST. From HITRUST's perspective, it also helped the organization understand what the industry expects from it to help support organizations' response capabilities, he said.
Similarly, the Department of Health and Human Services achieved a better understanding of how it can be more efficient in sharing information with the health insurance industry, including ways to help reduce duplications of effort, said Sarah Hall, HHS' chief information security officer.
"Industry and government healthcare organizations have to collaborate closely to better secure the sector," she said.
For Ray Biando, CISO of Health Care Service Corp., the exercise emphasized the fact that organizations can never have enough training when it comes to preparing for a cyberattack. So it's important that health plans "train like we fight and fight like we train," he said.
In his experience, Biando says he's found that the healthcare sector is continuing to mature with its information security capabilities. "I've seen a dramatic improvement, but we still have a lot of work ahead of us."
750 organizations want in on CyberRX attack simulations
Cyber attack simulation exposes need for better collaboration, preparedness
8 best practices for payer data security
Anthem hack compromises info for 80 million customers
Cybersecurity Bill of Rights may confuse insurers, consumers