Policy Analysis –
This past week, H-ISAC announced the launch of a new tabletop exercise – Cyber Outbreak.
Cyber Outbreak will test the sector’s ability to respond to cyber-threats, share information, and maintain resilience during attacks against critical infrastructure. To do this we will hold regular tabletops over the next year that evaluate threats against different sub-sectors. The exercises will initially just include members of H-ISAC, but will likely expand to include organizations from other interconnected sectors as well as the Government.
The first exercise in the series will be held on November 27, as the H-ISAC Fall Summit gets underway in Scottsdale, Arizona. The scenario for the first exercise will be derived from the experiences and lessons learned during the “WannaCry” and “NotPetya” attacks. We will test information sharing capabilities between health care organizations as well as other sector-wide response capabilities.
If you’d like to participate in the kick-off exercise, please register here.
The Office of the National Coordinator for Health Information Technology at HHS dropped some big news last week, loosening testing and certification requirements.
First, they reduced the requirements on third party testing – organizations will now be able to “self-declare” certification on 30 of 55 certifications that are required. Second, ONC indicated they would not enforce the requirement for third party testing companies to conduct randomized surveillance on certified health IT products and services.
Having a list of government approved certification companies may not have been the most efficient way to tackle security auditing, but it’s not like the sector has proved so adept at defending itself. The test of whether this approach works will be if and how enforcement actions take place when a self-declaring certification is exploited.
As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of H-ISAC.