Cyberattack Drill Exposes Healthcare Industry's Vulnerabilities

Healthcare organizations are at their weakest not necessarily on technical implementations, but in their ability to coordinate and collaborate across organizations, says a security expert.

Healthcare providers, like other industries, are not always very good at sharing cyber-attack intelligence with each other. But according to findings of a first-of-its-kind April 1 simulated drill, improvements are now underway specifically in the healthcare industry.

The industry-wide exercise, CyberRX, presented participants with a series of challenges which "exercised elements within each of the organizations," said Kevin Charest, chief information security officer for the U.S. Department of Health and Human Services.

"We actually started it off with some fraud, where a physician attempted to have some malicious code written that would allow erroneous images to be created and then they could defraud Medicaid and Medicare," Charest explained.

The scenario involved lots of different complexities in incident response, including responding to simulated inquiries from the press, Charest says.

A Wide Range of Players

A big takeaway from the exercise: Healthcare organizations are at their weakest not necessarily on technical implementations, but in their ability to coordinate and collaborate across myriad healthcare entities, says Roy Mellinger, who is vice president, IT security, and chief information security officer at Wellpoint, the largest managed health care, for-profit company in the Blue Cross and Blue Shield Association.

"Unlike financial services, where you're just dealing with primarily banking and loan information, we're dealing with small providers, small doctors' offices and clinics, and diagnostic centers. And we're dealing with medical devices and manufacturers," Mellinger says. "We're dealing with hospital systems. We're dealing with the payer industry. So how do you coordinate intelligence information and expertise across those varying types of entities?"

Not surprisingly, the exercise also pointed out that the ability of similar organizations to respond to a cyberthreat varies based on the maturity and experience of each organization's IT systems and leadership teams.

Early Warning System Needed

Jim Koenig, principal global leader, commercial privacy, cybersecurity and incident response for Booz Allen Hamilton, says "all of the new players present increase opportunities for risk, and systems that haven't become necessarily stable, and all of that happening at once creates a new set of risk profiles." Koenig acted as observer for the CyberRX exercises on behalf of the exercise's organizers, HHS and the Health Information Trust Alliance (HITRUST).

Rapid changes in healthcare technology are all the more reason for an early warning system, because a number of organizations may be subject to the same potential threat and the same potential players, or, a vendor, who may be vulnerable within the chain, Koenig says.

Because all these technologies are increasingly more interconnected, a coordinated threat response across disparate systems is essential, he says.

"Obviously cyberattacks can reach systems that are connected, and increasingly now, there are more and more medical healthcare delivery, radiology, laboratory, and other healthcare delivery and devices that are connected," he says.

An additional finding is that the current model of a generic national cybersecurity framework for critical infrastructure is not sufficient to support healthcare organizations in the current cyber threat landscape, HITRUST officials say.

The exercise left HITRUST with several action items, including linking threat intelligence to HITRUST's Common Security Framework, which provides prescriptive security requirements to ensure clarity. "We will augment CSF with the cyber threat intel to make sure the guidance is more robust, because that is that first line of blocking and tackling," says HITRUST CEO Daniel Nutkis.

Heartbleed and HealthCare.gov
The recent Heartbleed vulnerability in the popular OpenSSL cryptographic software library presented a valuable real-world test of the benefits of these exercises, according to HITRUST. More than one CyberRX exercise participant indicated that they leveraged lessons learned from the CyberRX exercise to react quickly and more effectively address the issues brought up by Heartbleed, HITRUST officials stated.

Charest says there is no evidence that the Heartbleed vulnerability has affected networks related to the HealthCare.gov Web site, but that out of an abundance of caution, HHS decided to ask all registered healthcare.gov visitors to reset their passwords by answering their previously set up challenge questions.

The extra caution arose in part due to healthcare.gov's use of the Akamai content delivery network, which had patched its own Heartbleed vulnerability, Charest says.

HITRUST posted a preliminary report in the wake of the security exercise, with threat preparedness and response recommendations for healthcare organizations. The HITRUST Web site also provides a way for organizations to sign up to participate in future exercises, which HITRUST expects to hold twice a year, according to Nutkis.