April 22, 2014 – HITRUST, in coordination with the U.S. Department of Health and Human Services (DHHS), revealed the results of the healthcare industry’s first cyber attack simulation, CyberRX.

CyberRX is a series of industry-wide exercises used to evaluate the response and threat preparedness of healthcare organizations against attacks and attempts to disrupt U.S. healthcare operations. The unanimous findings from the exercise are:

• Organizations that participate in cyber exercises are more prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
• Organizations’ preparedness benefits from improved threat intelligence processing capabilities and increased engagement with stakeholders. Organizations varied in their preparedness for processing threat intelligence or with communicating and engaging other stakeholders internally and externally; this issue extends beyond IT to legal/privacy, crisis management, business/clinical operations, management and external business partners; additionally organizations vary in their appetite for and ability to process threat intelligence.
• Organizations call for greater “freedom” to communicate and collaborate during a cyber crisis and to have a view across the healthcare ecosystem, including common vendors and partners – despite potential legal restrictions and liabilities; participants also had varied opinions on how best to engage law enforcement.
• Incident response coordination and collaboration capabilities are crucial and the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) capabilities should be enhanced to better support broader and more effective collaboration.