HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cyberattack Simulation Exercise Tests Incident Response Readiness

It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved.

Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises

It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved.

Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted, questions from breach victims fielded, and protections put in place to ensure similar breaches are not suffered in the future. Claims must be made with insurers and law enforcement must be involved.

Any organization that is not prepared, and does not have a tried and tested breach response plan in place, will not be able to response quickly and efficiently.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As with a risk assessment, the breach response plan is not something that can be tested once. It must be practiced. In fact, the more often the breach response plan is tested and cyberattack simulation exercises run, the more likely the response will be executed efficiently when a cyberattack is suffered.

The HITRUST CyberRX 2.0 Cyberattack Simulation Exercise

The Health Information Trust Alliance (HITRUST) in association with Deloitte Advisory Cyber Risk Services, recently conducted a test of cyberattack response readiness to help health plans prepare for an inevitable cyberattack and data breach. The HITRUST CyberRX 2.0 Health Plan exercise (CyberRX) was conducted on 12 participating health plans, and involved 250 individuals. This was the first time that the exercises had been run simultaneously for health plans.

The aim of the cyberattack simulation exercises were to test how well prepared health plans are to deal with a cyberattack. The results of the exercise can be used by other health plans and insurance companies to improve their own breach response plans and improve their readiness to deal with cyberattacks when they occur.

The exercises are rigorous, and are designed to help participants cope with various different scenarios that disrupt critical U.S. healthcare operations and infrastructure. So far this year, over 1,000 organizations have taken part in the program and have completed CyberRX 2.0 Level 1 exercises.

The latest series of CyberRX exercises were devised and run by Deloitte Advisory Cyber Risk Service. The tests were run over a four-hour session, and participants were required to discuss the appropriate course of action that needed to be taken when a threat actor gaining access to PHI and made a high volume of fraudulent health claims: Just as would likely be the case following a real cyberattack.

Lessons Learned from the CyberRX Cyberattack Simulation Exercises

It is essential that the forensic analysis of the cyberattack is conducted, but this must be considered together with the impact it will have on the business. The two elements of the breach response cannot be considered in isolation. The cyberattack simulation exercises also highlighted the need for action to be taken, even when the big picture is not known. Leaders must take affirmative action.

The full results of the health plan cyberattack simulation exercise are detailed in the HITRUST final report – which can be downloaded here – although the recommendations that came from the exercises are summarized below:

HIPAA-covered entities must:

Establish an Incident-Response Ecosystem – It is essential that third parties are involved in the breach response, they are likely to be impacted by it, and in many cases, may even have caused the breach. Involve them in breach repose planning, not just when a breach is suffered.

Threat Intelligence Must be Shared – According to previous HITRUST study results, threat indicators of compromise (IOCs) are used by 85% of organizations, yet only 5% of organizations share IOCs. The exercise highlighted the difficulties the participants had in sharing their IOCs, yet this is essential.

Incident response plans exist for a reason – When a cyberattack is suffered, it may not be possible to follow a breach response plan to the letter, but it should be used as a guide. It will improve the efficiency of the breach response.

An incident response plan must involve the claims process – Losses will be suffered, so insurance claims must be made. It is essential that covered entities know how to engage insurers.

Law enforcement must be involved, but at the right time – There was an over eagerness to involve law enforcement; however, it is essential to contact law enforcement agencies at the right time.

Cyberattack simulation exercises are essential to help organizations prepared for an attack. If a breach response plan has been tested, and tested thoroughly, it will improve an organizations breach response capability, and can reduce the damage caused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.