From the November 2014 Issue of SCMagazine
Published on: November 03, 2014
By: Teri Robinson

“Simulation exercises show how companies should respond under a cyberattack,” says HHS’s Sara Hall. Teri Robinson reports.

In the common parlance of child psychologists, role-playing—particularly acting out scenarios—is good practice for real life, helping kids develop the skills and tools they need to face, navigate and solve the issues and problems encountered on the vast terrain of growing up. The same holds true in cybersecurity—playing out likely scenarios can yield the kind of preparedness that organizations in the private and public sectors can’t master in training seminars, classes and email advisories alone.

While participants don’t get to dress up in cool super hero costumes or leap tall buildings in a single bound, they do take part in cyber exercises that, if properly executed, can sharpen and strengthen an organization’s response, making it more competent and resilient in the face of a real, live cyberattack.

“They learn their strengths as well as weaknesses that can be improved so they’re ready for an attack,” says Sara Hall, Deputy Chief Information Security Officer at the U.S. Department of Health and Human Services, of the groups participating in CyberRX simulation exercises supported by HHS and coordinated by HITRUST, an alliance of health care industry organizations that has essentially developed a playbook, or set of best practices, for conducting cyberattack simulation exercises.

“Organizations should be doing this sort of exercise for preparedness,” stresses Daniel Nutkis, CEO of HITRUST. The alliance recently released a “CyberRX 2.0 Exercise Playbook,” driven by the recommendations spawned from its spring 2014 simulation event.

Preparing for cyber attacks is especially important in the health care industry, charged with safeguarding personally identifiable information (PII) and medical data, and whose ranks includes pharmacists, hospitals, private practitioners and medical device providers.

“We don’t want citizens not trusting information with IT and that interfering with their ability receive medical and health care,” says Hall.

But that public trust has been shaken after security incidents rocked health care organizations, including a significant data breach at Community Health Systems (CHS) that affected 4.5 million patients.

Our Experts

• Sara Hall – Deputy Chief Information Security Officer at the U.S. Department of Health and Human Services
• Daniel Nutkis – CEO, HITRUST
• Ed Powers – National Managing Partner of Deloitte & Touche’s Cyber Risk Services practice
• Karl Schimmeck – Vice President of Financial Services Operations at SIFMA
• Sharon Wallis – Member, Bank of England’s Sector Resilience Team

While one observer noted that health care is “about a decade behind” other sectors, it’s playing catch up. Fast. And it’s certainly not the only industry vulnerable to security lapses, as demonstrated by even higher profile breaches at Target, eBay, Home Depot and JPMorgan Chase, and revelations that vulnerabilities, like Heartbleed and ShellShock, can lurk in code, ripe for exploitation by miscreants.

The fumbles that occurred during and after those incidents—as well as the successes, like the thwarting of DDoS attacks on banks in 2012 and 2013—underscore the difference that preparedness can make in mitigating cyberattacks.

Fueled by criminal intent, political unrest and just plain mischief-making, cyberattacks are, by and large, on the rise. And a growing reliance on electronic devices—within the Internet of Things even home appliances could be marshaled into botnets—combined with a surge in malware virtually guarantees attackers an unprecedented and ongoing reach into networks and systems once believed to be relatively untouchable.