"Unlike financial services, where you're just dealing with primarily banking and loan information, we're dealing with small providers, small doctors' offices and clinics, and diagnostic centers. And we're dealing with medical devices and manufacturers," Mellinger says. "We're dealing with hospital systems. We're dealing with the payer industry. So how do you coordinate intelligence information and expertise across those varying types of entities?"
Not surprisingly, the exercise also pointed out that the ability of similar organizations to respond to a cyberthreat varies based on the maturity and experience of each organization's IT systems and leadership teams.
Early Warning System Needed
Jim Koenig, principal global leader, commercial privacy, cybersecurity and incident response for Booz Allen Hamilton, says "all of the new players present increase opportunities for risk, and systems that haven't become necessarily stable, and all of that happening at once creates a new set of risk profiles." Koenig acted as observer for the CyberRX exercises on behalf of the exercise's organizers, HHS and the Health Information Trust Alliance (HITRUST).
Rapid changes in healthcare technology are all the more reason for an early warning system, because a number of organizations may be subject to the same potential threat and the same potential players, or, a vendor, who may be vulnerable within the chain, Koenig says.