A healthcare industry data-security
consortium will lead a series of computer hacks to evaluate industry preparedness for the real thing.
A first round of these controlled attacks on about a dozen organizations volunteering to participate—including four provider organizations, health plans, pharmacies and a cloud services provider—will be conducted in March in partnership with HHS and led by HITRUST
, the Frisco, Texas-based healthcare security consortium. A second round of attacks is slated this summer.
“Our goal for the exercises is to identify additional ways that we can help the industry be better prepared for and better able to respond to cyberattacks,” Kevin Charest, chief information security officer at HHS, said in a news release.
In April 2012, HITRUST launched its Cyber Threat Intelligence and Incident Coordination Center
to provide a communication and information sharing channel devoted to healthcare-related cyberthreats. The proposed attacks will measure the effectiveness of that channel, test industry coordination with HHS and document threat scenarios for future use in additional tests with other industry participants.
HITRUST CEO Daniel Nutkis said the organization will employ what he described as “ethical hackers” to launch the assaults using a benign payload.
“The intent here is to understand an organization's ability to respond to these attacks and it's also an opportunity for sharing information,” Nutkis said. “One organization's cyberevent is another organization's cyberdefense.”
Nutkis said he has not seen a spike in the number of healthcare industry cyberattacks, “but there is no question that healthcare is a ripe target. It's a 'when' issue, not an 'if' issue.”
Also, he noted, experts trawling online forums of foreign hackers have discovered “substantial amounts” of protected healthcare information that they couldn't connect to a breach. “We think there are organizations that aren't even aware that that's happening.” Follow Joseph Conn on Twitter: @MHJConn