Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...
By Alex Ruoff
Jan. 21 --A dozen health-care organizations will put their cybersecurity plans to the test during a series of mock cyberattacks starting in March.
The health-care industry is fast becoming a prime target for hackers and online criminals seeking to steal personal data from electronic health records, Daniel Nutkis, chief executive officer for the Health Information Trust Alliance (HITRUST), the cybersecurity organization coordinating the mock attacks, told Bloomberg BNA Jan. 16.
The cybersecurity exercises will give security experts and health-care executives a better understanding of how well their security measures might fare against a real attack, he said.
“We've seen a steady increase in attacks on health organizations, and the industry as a whole has responded well,” Nutkis said. “Now the maturity of that response has reached the point where we need to get an understanding of what's being truly effective and what these organizations are ready for.”
HITRUST has been purposefully vague about the exact timing and nature of the simulated attacks, dubbed CyberRX, to make them as real as possible, Nutkis said. HITRUST will unleash “a little of everything” on the health information technology systems and medical devices of 12 organizations, a mixture of health plans, health-care provider organizations and pharmacies, he said.
Participating in CyberRX are: the Department of Health and Human Services, Children's Medical Center of Dallas, CVS Caremark, Express Scripts, Health Care Service Corp., Highmark, Humana, UnitedHealth Group, WellPoint and others.
The results of the mock attacks will be summarized in a report to be released in April, HITRUST said in a release.
The mock attacks will test both the permanent security measures of the participating organizations, such as firewalls and anti-virus programs, as well as how well executives respond to cyber-intelligence reports from the HHS and HITRUST's Cyber Threat Intelligence and Incident Coordination Center, the organization's cybersecurity program, HITRUST said.
The HHS regularly issues cybersecurity warnings to HITRUST, which alerts the relevant health-care organizations, Nutkis said.
Intelligence gathering is crucial for cybersecurity, he said, as hackers and online criminals have access to very sophisticated technologies that allow them to be innovative in how they subvert security systems.
“The model for security used to be just build bigger and bigger walls around your system to block anything coming in,” Nutkis said. “It's not so simple now as attackers are becoming smarter and smarter.”
As part of CyberRX, HITRUST will, for some organizations, issue an alert about the possibility of a certain type of attack before simulating it to test how those organizations respond to warnings, Nutkis said.
Underscoring the need for health-care organizations to improve their cybersecurity response, DataMotion, a Morristown, N.J.-based e-mail encryption provider, Jan. 21 released the results of a survey on corporate security that found that 75 percent of health-care workers routinely ignore the security policies of their employer.
The survey also found that although more than 90 percent of health-care companies had policies for encrypting e-mails and policies for securely transferring electronic files, 33 percent of health-care employees didn't fully understand those policies. Employees surveyed included health-care providers and administrative staff at health-care organizations, the survey said.
“Doctors are thinking about their patients when they're using a computer, not company policy,” Bob Janacek, chief technology officer for DataMotion, told Bloomberg BNA Jan. 21. “So it's important that an organization integrate security measures into their regular workflow.”
The survey concluded that health-care organizations should offer IT training for health-care providers and automate cybersecurity practices for providers.
To contact the reporter on this story: Alex Ruoff in Washington at email@example.com
To contact the editor responsible for this story: Kendra Casey Plank at firstname.lastname@example.org
More information about HITRUST is at http://www.hitrustalliance.net.
The survey can be downloaded at http://info.datamotion.com/datamotion-2013-survey-report.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)