Published on: September 03, 2014
By: Patrick Ouellette

HITRUST released the pertinent information and participant numbers for its CyberRX 2.0 program today, announcing that more than 750 healthcare organizations signed up for the cyber-attack simulation exercise that will begin in October.
HITRUST used what it learned from CyberRX 1.0, such as feedback and general collaboration strategies, to develop CyberRX 2.0. CyberRX 2.0 will be broken up into a three tier program – local (basic), regional (mature) and national (leading) – with respect to simulation sophistication levels. Read the results from the CyberRX 1.0 here.

HITRUST first publicized that it had partnered with the Department of Health and Human Services (HHS) in January 2014 to offer the CyberRX program, which reproduces healthcare cyber-attacks and try to improve data breach preparedness and awareness. Types of participating organizations include providers, health plans, prescription benefit managers and pharmaceutical companies. From gaining better insight into the healthcare industry’s breach readiness to documenting potential attack scenarios, the April exercises were meant to test the waters and see where organizations were at in terms of cybersecurity.

Here is a breakdown of the three tiers:

  • Local (Basic) – Level 1 will take place from October 2014 to December 2014, providing “table-top” simulations that can be administered by an organization to assess their cyber threat readiness and response while looking at internal processes.
  • Regional (Mature) – Next, HITRUST will offer Level II participants exercises from January 2015 to April 2015. With the requirement that they have earned a Level 1 certificate, participants will have the opportunity to take part in a more complex set of scenarios while fostering collaboration among multiple organizations simultaneously.
  • National (Leading) – Level III will take place from June 2015 and July 2015 and mandates that organizations have a Level II certificate. This part of the program will review internal and external cyber threat readiness, as well as response and crisis management. According to the HITRUST release, there will be about 50 organizations selected for the national exercise. HHS and HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) will take part as well.

“The initial exercise was a significant step toward establishing the CyberRX exercise playbook and formal program and identifying opportunities for greater collaboration and information sharing between organizations, HITRUST and government. We look forward to taking this important program to the next level and supporting broader industry support and engagement with CyberRX 2.0,” said Sara Hall, HHS Deputy CISO.

HITRUST and HHS will look at potential attack areas such as information systems, medical devices and other essential technology resources. HITRUST will elect CyberRX observers to determine cybersecurity maturity levels.

“The healthcare industry continues to be a growing target for cyber attacks. CyberRX 2.0 is a crucial component of an overall strategy be it to prevent, detect and respond. From small and large entities to pharmaceutical and medical devices, there is strength in numbers. Without industry-wide collaboration we will have gaps toward the ultimate goal of protecting confidential privileged information and ensuring we have top-notch healthcare for patients. We are already seeing positive results from the first exercise and we look forward to participating in CyberRX 2.0,” added Roy Mellinger, VP and CISO, WellPoint.

Regardless of whether they participated in the program or not, the CyberRX 2.0 Exercise Playbook with Level I scenarios will be released to all organizations on October 1, 2014.

“HITRUST wanted to establish an expanded approach that supports a large percentage of the healthcare industry, allows organizations with varying levels of knowledge and resources to engage in and benefit from the program – while not burdening or minimizing the value to other participants. We believe CyberRX 2.0 will foster participation by organizations across the spectrum and, ultimately, the maturity of the industry as a whole,” said Daniel Nutkis, CEO, HITRUST.

https://healthitsecurity.com/news/hitrust-reveals-cyberrx-2-0-exercise-details-focuses/