CyberRX: Health plans cyber simulation exercise

After-action report

Recent events have raised awareness of the increase in cyber threats and attacks targeted at the health plan industry. Cyberattacks provide little forewarning and can occur suddenly or over a period of time. This variability requires health plans to focus on cyber incident readiness, response, and recovery. With these factors in mind, HITRUST enlisted Deloitte Advisory to design and conduct the CyberRX: Health plans cyber simulation exercise with the goal of testing the capabilities of a group of health plans to respond to a wide-scale cyberattack.

Putting health plans to the test

CyberRX 2.0 is a scenario-based exercise program to assess the cybersecurity response preparedness of healthcare organizations. This series of no-cost, industry-wide exercises created and coordinated by HITRUST in conjunction with the Department of Health and Human Services (HHS), with the mission to mobilize healthcare organizations and explore innovative ways of improving preparedness and response against cyberattacks intended to disrupt the nation’s healthcare operations. CyberRX: Health Plans is a cyber simulation exercise designed specifically for health plans and insurers. The exercise was facilitated and observed by Deloitte Advisory Cyber Risk Services.

Exercise objectives

  1. Test organizations’ abilities to detect, comprehend, and respond to cyber incidents
  2. Practice cyber incident response and identify effective practices for the health plan industry
  3. Highlight the roles of HITRUST, HHS, and health plan industry partners before, during, and after cyber incidents
  4. Identify areas for improvement for industry-wide cyber resilience

Exercise overview

To provide participants the opportunity to test their cyber incident readiness and to identify ways to enhance existing cyber incident response plans and processes

250 individuals from 12 health plans across 13 US states

Delivery structure
During a four-hour session, participants responded to systematically delivered cyber incident simulation content, discussing necessary response actions and key decisions to be made

Simulation scenario
A threat actor compromised the systems of a fictitious health plan company, gaining access to member protected health information and initiating fraudulent health claims on a mass scale

Participant learnings

The nature of cyber incidents

  • Cyberattacks are becoming increasingly pervasive and sustained, and can quickly escalate into significant business crises
  • Open and accurate lines of communication are critical components of incident response and should consider internal parties, third parties, law enforcement, and government agencies

The cyber incident lifecycle

  • Cyber incidents can take months or years to recover from; recovery objectives must factor in both capabilities enhancements as well as confidence enhancements
  • Incident response requires cross-functional coordination, documentation, and stakeholder communication

Improving preparedness

  • It is imperative that incident response plans include specific communication and team processes
  • Simple, flexible, and distributed plans provide guidance to responsible parties throughout the organization
  • Understand where and when outside help is needed to assist and have a way of getting these capabilities beforehand
  • Regularly conducting cyber simulations will build muscle memory among cyber incident responders

Did you find this useful?