Healthcare Cyberattack Simulation Reveals Weaknesses in Security Preparedness

By: Arieanna Schweber | 12/17/2015

The Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services, in coordination with the U.S. Department of Health and Human Services (HHS), recently conducted a cyberattack simulation in the healthcare industry to gauge the readiness of each organization’s cyber incident response plans. The results of the simulation reveal that current incident response plans in healthcare are inadequate in preventing data breaches. The simulation revealed a number of actions that can be taken to improve incident readiness and overall resilience.

The HITRUST CyberRX 2.0 Health Plan exercise (CyberRX) gathered 250 individuals from 12 health plans in the first simultaneous cyberattack simulation exercise undertaken in the industry. As detailed in the HITRUST CyberRX After Action Report, the simulation revealed many specific oversights in security preparedness that are common across many industries, including:

  • The need to establish an incident-response ecosystem, which extends to relationships with third parties who may be impacted by a breach. This integration is crucial to establish before an incident occurs.
  • The need to share threats more openly. A recent HITRUST study indicated that 85% of organizations use threat indicators of compromise to improve their own security, but only 5% felt comfortable sharing their own threat indicators.
  • A lack of understanding of cyber insurance claims processes.
  • Actually using the incident response plan. This is an interesting insight, showing that only 2 out of 12 participating organizations referenced their incident response plan during the exercise, even though such plans existed. The use of the information in those plans, and adhering to roles and responsibilities in that plan, can improve the outcome. Repeated simulations would likely help solidify these roles, and could prove a valuable asset to ongoing security education.
  • Involving law enforcement at the right time. Many organizations involved law enforcement too early, which is likely influenced by the backlash organizations receive for not acting fast enough to security incidents. This is where the help of an experienced Investigations team could aid in determining the cause of an incident, providing forensic analysis reports, and determining if ePHI was accessed and law enforcement needs to be involved.

As the report indicates, “It is no longer a matter of ‘if,’ but ‘when,’ an organization will be breached in healthcare,” so actions such as this simulation can provide valuable information about specific risk points for your organization. As Ray Biondo, chief information security officer at Health Care Services Corporation notes, “Cyberattacks can strike with little forewarning and unfold in ways that no one can predict. There’s no such thing as a pre-scripted response, but every time an organization practices incident response, they get better at anticipating the issues they may face."

There is no denying that cyber attacks are on the rise, though that fact alone can skew security preparedness. Cyber attacks imply a brute force attack against a network, when the reality is that the source of the attack can come from any point. The attack surface is now comprised of millions of access points that extend beyond the corporate network, thanks to the many devices used by employees and the use of the cloud. People are the indirect source of most security incidents, compromising data or passwords or network access intentionally or by mistake. The endpoint is a growing source of many of these errors.

As part of your preparedness, we provide Absolute DDS for Healthcare, a comprehensive onboarding program which pairs the highest level of endpoint security with expert forensic support to respond to and contain security incidents. With Absolute DDS, you can set policy-based actions to identify suspicious changes to software, hardware or user behaviour, with automated actions to ensure that data on the endpoint is protected. Learn more at

Financial Services