News Feature | September 12, 2014

CyberRX: Health Industry Cyber Threat Exercise

Christine Kern

By Christine Kern, contributing writer

CyberRX

A total of 750 healthcare organizations prepare to be attacked by CyberRX2.0.

HITRUST, a coalition of industry stakeholders working to improve cybersecurity, has dramatically increased participation in the next round of its cyber-attack simulation exercise, called CyberRX.

CyberRX is a series of no cost, industry-wide exercises coordinated by HITRUST in conjunction with the Department of Health and Human Services, with the mission being to mobilize healthcare organizations and explore innovative ways of improving preparedness and response against cyber-attacks intended to disrupt the nation’s healthcare operations. The exercises include scenarios targeting information systems, medical devices and other essential technology resources of government and healthcare organizations.

The first exercise, CyberRX 1.0, was conducted in April 2014 with about a dozen organizations participating. As part of the test, a third party launched real but harmless attacks on participant information networks, such as information systems or medical devices. The exercise assessed how well organizations recognized and responded to the attack, including knowing where to find resources for assistance or answers when suspicions were raised because of probing or other threat activity.

The test also assessed the effectiveness of HITRUST’s Cyber Threat Intelligence and Incident Coordination Center, which includes a repository of threat data and researchers who disseminate information on new threats.

Now, more than 750 healthcare organizations will participate during October in CyberRX 2.0, which will have three levels of sophistication to support organizations with various levels of cyber security capabilities.

The expanded CyberRX 2.0 program features progressive local, regional and national exercises that will allow more participants at all levels of maturity to join based on their type of organization, size, and experience with cyber prevention and simulations:

  • Level I – Local (Basic), October 2014 – December 2014: This level offers “table-top” simulations that can be administered by an organization to evaluate their cyber threat readiness and response primarily focused on internal processes.
  • Level II – Regional (Mature), January 2015 – April 2015: This level offers qualified (prerequisite of a Level I certificate) participants a regional exercise that is more sophisticated and the opportunity to build collaboration between multiple organizations simultaneously.
  • Level III – National (Leading), June 2015 and July 2015: This level offers qualified participants (prerequisite of a Level II certificate) a comprehensive simulation to evaluate internal and external cyber threat readiness, response and crisis management.