Twelve health insurance companies simultaneously hit with real but harmless cyber attacks had mixed results when the exercise was over, providing many lessons learned for other healthcare stakeholders.
HITRUST, an industry coalition working to improve cybersecurity, offers mock attack scenarios with three levels of sophistication to enable organizations to experience an attack and assess response and mitigation performance. More than 1,000 organizations have participated in these exercises.
The 12 insurers, of varying size and representing a total of 100 million members, were hit with a Level 1 attack in the summer of 2015. They had some idea the attack was coming so necessary personnel across these organization could be available. But what would occur was unknown, according to John Gelinne, director of Deloitte Advisory Cyber Risk Services, which created the attack, designed to impact the entire organization and not just the information technology and security professionals.
Each insurer had about 15 minutes to assess and execute tactics to deal with the attack as various issues emerged, with follow-up challenges based on response decisions—the exercise took about four hours to complete. In this case, the attack came from the compromised laptop of a business associate employee. Some lessons learned, Gelinne said during a conference call, included the need for clearer communication paths within an organization and including third-party business associates, understanding that an attack is not just an incident but can take months to resolve, and that organizations with a sufficient cyber plan do better when an attack comes.
Identification and response gaps by the health plans during the attacks were revealing. Some of the plans, Gelinne said, did not even know who had authority to order taking down the claims processing system during the attack. That’s one reason it is important to establish formal integrated cyber response plans across the organization, he added. “It truly is a team sport.”
Other findings included:
* As the attack unfolded, HITRUST shared intelligence with the plans, but participants—who were to share information such as threat indicators among themselves and with HITRUST—were reluctant to do so. That aligns with a recent HITRUST survey that found 85 percent of organizations use their own threat indicators but only five percent share the data.
Dan Nutkis, CEO at HITRUST, noted that a very small minority of stakeholders across the industry are sharing threat data. HITRUST is developing technology to automatically collect and correlate threat indicators within five minutes, which should increase data sharing as the process currently takes much longer.
* Participants were uncertain about how to quantify losses and submit insurance claims, and what to expect after reporting an attack. “Each insurer is likely to have distinct processes,” according to information from HITRUST. “Incident response plans should include information on how to engage insurers.”
* Only two of the 12 health plans referenced their organization’s incident response plan while responding to the attack. “While the pace of a live situation may make strict adherence to documented plans impractical, having ready access to key information and adhering to roles and responsibilities defined in the plan can improve efficiency,” according to HITRUST.
* Organizations need to bring in law enforcement at the appropriate time; several health plans engaged police before evidence of a crime had been established. “Law enforcement can aid in compiling and preserving evidence, but acting too soon may distract efforts from aspects of the investigation and recovery process,” HITRUST cautioned.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access