Compliance

Cyber Fire Drills: A New Tool to Fight Healthcare Cyberattacks

By Josh Ablett

Healthcare is under constant cyberattack by malicious actors. Nearly 6,000 healthcare data breaches that have been reported to the HHS Office for Civil Rights (OCR) between 2009 and 2023.  This is a staggering problem for the healthcare industry — 519,935,970 healthcare records have been breached, with is more than 1.5 times the population of the whole United States.

And while we certainly didn’t need another reminder about why cybersecurity is important, the recent attack on Change Healthcare has had a devastating ripple effect through the entire industry.  One-third of Americans had their sensitive health information exposed in that breach.  And thousands of small practices have been crippled for months, unable to process payments.

As the problem gets worse, new techniques are needed to fight back and limit the impact of cyberattacks.  One newer technique that’s starting to gain traction is the concept of cyber fire drills. This article explores what cyber fire drills are and how they can help healthcare organizations to mitigate the damage of cybersecurity attacks.

What Is A Cyber Fire Drill?

Cyber fire drills are short, targeted simulations that mimic real-world cybersecurity attacks.  They’re designed to take just a few minutes and can be done from an employee’s computer or phone in between other tasks.

Unlike traditional cybersecurity training, which rely on generic videos and easy quizzes to teach broad concepts like “what is phishing,” cyber fire drills offer real-world scenarios.  Each simulation is customized based on the company participating in it.  And the participants get to be “a part of the story,” choosing what they would do in response to realistic situations.

While the drills are engaging for employees, they’re also hugely valuable to the organization’s leadership.  Like all simulations, they both train AND test.  And they give very specific, actionable data that helps the leadership focus limited resources on the most impactful cybersecurity priorities.

The medical industry is no stranger to this concept of “practice makes perfect.” Residencies, shadowing, and surgical simulations all help companies to build muscle memory to be able to handle real-world emergencies.  The cyber fire drill is the same, but for cyberattacks.

How Do Cyber Fire Drills Work?

Cyber fire drills are conducted through a website that you access through your browser to participate in realistic simulations.   These drills typically focus on high-risk scenarios relevant to healthcare organizations. A few common example fire drills include:

  1. A hacker steals PHI by taking over an employee’s email account (like Microsoft 365 or Google Workspace).
  2. A hacker steals PHI by taking over an employee’s Electronic Medical Record (EMR) systems (such as Epic).
  3. A hacker tricks one of your employees to pay a large, fraudulent invoice.

Sadly, these are all realistic attacks that are happening every day to both large and small healthcare organizations.

Why Do Cyber Fire Drills Work?

Cyber fire drills deliver several benefits in healthcare organizations:

  • By simulating actual attacks, cyber fire drills help employees to build “muscle memory” about how to identify and respond to suspicious activity.
  • These drills offer IT and security leaders highly actionable data about the company’s strengths and weaknesses, directing them how and where to focus limited resources.
  • Under HIPAA, Security Management Process (§ 164.308(a)(1)) directs healthcare organizations to “Implement procedures for periodic testing and revision of contingency plans.” Cyber fire drills directly address this HIPAA requirement and support other HIPAA specifications.
  • Healthcare breaches cost THREE times the global average.Cyber fire drills reduce the amount of time it takes to respond, and therefore drive down the overall cost of a breach.
  • Regular drills allow organizations to refine their incident response processes, ensuring they remain effective by running tests against “ripped from the headlines” incidents that represent new threats.
  • Participation in cyber fire drills may positively impact cybersecurity insurance premiums. Many cybersecurity insurance companies are beginning to ask if you “periodically test your incident response plan.”

It’s also important to note that cyber fire drills are equally valuable to both Covered Entities and Business Associates, as both are frequent victims of cyber attacks.

Challenges in Implementing Cyber Fire Drills

Despite clear benefits, healthcare organizations may face challenges when first implementing cyber fire drills:

  • Healthcare professionals are busy, and don’t always control how they spend their time.Be sure to choose an approach that takes just a few minutes, and can be completed in between other tasks.
  • Creating realistic, relevant scenarios can be challenging. Partner with vendors who can bring you pre-canned scenarios that are relevant to your organization and your industry.
  • While using simulations for training and testing purposes is not a new idea, using cyber fire drills to simulate cybersecurity attacks is a relatively new concept.You may get some questions from people who are new to the idea.

How to Run Your Own Cyber Fire Drill

To maximize the effectiveness of cyber fire drills, healthcare organizations should consider the following best practices when designing their own fire drills:

  • Start from the point AFTER the attacker gets in. Design fire drills that assume “the call is coming from inside the house.” An effective simulation tests how well you respond to a successful attack, not just how well you prevent it.
  • Focus less on technology and more on communications and escalation. Companies facing real-world attacks waste an inordinate amount of valuable time in the early stages of an incident.  This time directly leads to more disruption to the business, and drives up the overall cost.  Drills should aim to test and streamline decision-making and communication processes.
  • Do them frequently. While annual drills may satisfy HIPAA requirements, there are scores of ways that your company could be breached.  Best practice is to conduct drills at least monthly to cover different scenarios and attack mechanisms.
  • Find a way to measure progress. Cyber fire drill vendors have a scoring system built into their platforms that calculate how well you did during the simulation.  Use this as a baseline to measure improvement over time, as simulations can be run multiple times to demonstrate progress.

The Future of Cyber Fire Drills in Healthcare

We expect that cyber fire drills will only become more realistic in the future with some key technological advancements:

  • Artificial Intelligence (AI) is and will continue to be used to customize scenarios for each company and create more engaging and realistic simulations. This trend is likely to continue, with AI potentially being used to predict and simulate emerging threat vectors.
  • Integration with other systems in each company’s environment could offer more immersive, realistic simulation environments for more complex scenarios in the future.

Recommended Next Steps

For healthcare organizations looking to implement a cyber fire drill program, we recommend the following steps:

  • Look for experts that specialize in cyber fire drills that are relevant to the systems and processes you use in your company.
  • Work with your CISO, vCISO, or I.T. company to find vendors and discuss alternate approaches.
  • Aim for monthly drills to cover a wide range of potential scenarios over a year.

Practice Makes Perfect

Practice makes perfect, whether it’s in sports, medicine, or cybersecurity.

The reason to practice for cybersecurity attacks is simple – with attacks becoming more frequent and more expensive, you want to make sure that you don’t lose valuable time to confusion and chaos.

Cyber fire drills give you a way to test how well you do before you’re hit, and gives you specific, actionable recommendations to implement to make improvements.  And best of all, it does it in a way that barely takes any time away from running your business and caring for patients.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Josh Ablett

Josh Ablett, CISSP, has been involved in cybersecurity for almost 20 years. He has implemented cybersecurity programs that have passed audits by various regulatory agencies and built security programs compliant with regulations like NIST 800-171, HIPAA, GLBA, and state privacy laws. Josh has worked with companies of different sizes, from small teams of 5 to large organizations with up to 50,000 employees. Josh served as vCISO at AdeliaRisk. Before this, he worked for several cybersecurity vendors on projects for Fortune 500 clients. Josh began his career in cybersecurity as SVP/Head of Fraud and Global Insider Threat at the Royal Bank of Scotland (RBS). Josh is currently co-founder at ChaosTrack.

Related News

HIPAA Email Encryption Requirements

PHI Exposed in HealthEquity Cyberattack