Cyberattack Drill: Eye-Opening LessonsExercise Illustrates Why a Comprehensive Response Plan is So Vital
The experience of a dozen health plans that participated in a cyberattack drill spotlights the need for a well-thought-out incident response plan, says John Gelinne of Deloitte Advisory Cyber Risk Services.
Deloitte designed, executed and observed in April a simulated cyberattack on a dozen health plans. The project was conducted in collaboration with the Healthcare Information Trust Alliance and the U.S. Department of Health and Human Services.
The CyberRX 2.0 exercise clearly illustrated why "organizations have to recognize that they have to have a plan and have to have rehearsed that plan before an incident occurs so they will be much better prepared when the real event comes along," Gelinne says.
In an interview with Information Security Media Group, Gelinne notes that the results of the exercise also showed "there needs to be clear communication, and that extends to outside parties. The sophistication of these attacks take weeks, months and maybe even years to recover from. [Entities] need to build out their organization's responses not just internally, but also externally."
Another key takeaway from the CyberRX 2.0 exercise, Gelinne says, is the importance of having access to timely and accurate cyber intelligence and being able to share threat information with other healthcare organizations and government agencies and law enforcement during a cyber crisis, he says.
How the Drill Worked
The recent drill involved a scenario in which attackers targeted a health plan's third-party vendor and gained access to exploit a claims processing system to submit fraudulent medical claims.
In addition, the simulated attack involved the hackers stealing health plan members' protected health information and personally identifiable information and making that data available for sale on the Dark Web.
About 250 professionals from the health plans, including CIOs, CISOs and in one case a CEO, participated in the four-hour drill.
In the interview (see audio link below photo), Gelinne also discusses:
- Overall strengths and weaknesses of health plans that participated in CyberRx 2.0 exercise;
- Other details and lessons learned from the mock cyberattack;
HITRUST, an industry consortium launched in 2007, is best known for designing the Common Security Framework that can be used by any organization that creates, accesses, stores or exchange personal health and financial information. The organization has also developed an automated early warning system to share cyberthreat intelligence. Last year, it launched its first CyberRX exercise (see Cybersecurity Drill: Lessons Learned).
Gelinne is a director in cyber risk services for Deloitte Advisory Cyber Risk Services and is a part of the firm's resilience practice that helps clients prepare, respond and recover from cyber incidents. Gelinne is responsible for cyber incident response, cyber war gaming and building technical resilience services that allow organizations to rapidly adapt and respond to dynamic changes, disruptions or threats. He joined Deloitte after retiring from the U.S. Navy after 30 years of service. Gelinne's last role in the Navy was chief of staff for Admiral Mike Rogers, who is now Director of the National Security Agency.