CyberRX 2.0 to Begin in October

HITRUSTOver 750 Healthcare Organizations to Participate in CyberRX 2.0

HITRUST announced that over 750 healthcare organizations have signed-up to participate in the healthcare industry’s cyber attack simulation exercise, CyberRX 2.0, to begin in October 2014. This overwhelming response is the result of the success and important lessons learned from the inaugural CyberRX exercise held in April 2014. It demonstrates the commitment of the healthcare industry, including the Department of Health and Human Services (HHS), to proactively prepare for cyber events.

“The initial exercise was a significant step toward establishing the CyberRX exercise playbook and formal program and identifying opportunities for greater collaboration and information sharing between organizations, HITRUST and government. We look forward to taking this important program to the next level and supporting broader industry support and engagement with CyberRX 2.0,” said Sara Hall, Deputy CISO, HHS.

In order to accommodate the larger than anticipated number of participants the program has been expanded. CyberRX 2.0 is a three tier program that supports organizations of varying cyber sophistication levels while helping evolve their cyber preparedness maturity and keep pace with mounting, increasingly complex cyber threats to the healthcare industry.

“HITRUST wanted to establish an expanded approach that supports a large percentage of the healthcare industry, allows organizations with varying levels of knowledge and resources to engage in and benefit from the program – while not burdening or minimizing the value to other participants. We believe CyberRX 2.0 will foster participation by organizations across the spectrum and, ultimately, the maturity of the industry as a whole,” said Daniel Nutkis, CEO, HITRUST.

CyberRX is a series of no cost, industry-wide exercises with the mission to mobilize healthcare organizations and explore innovative ways of improving preparedness and response against cyber attacks intended to disrupt the nation’s healthcare operations. The exercises include scenarios targeting information systems, medical devices and other essential technology resources of government and healthcare organizations.

“The healthcare industry continues to be a growing target for cyber attacks. CyberRX 2.0 is a crucial component of an overall strategy be it to prevent, detect and respond. From small and large entities to pharmaceutical and medical devices, there is strength in numbers. Without industry-wide collaboration we will have gaps toward the ultimate goal of protecting confidential privileged information and ensuring we have top-notch healthcare for patients. We are already seeing positive results from the first exercise and we look forward to participating in CyberRX 2.0,” added Roy Mellinger, VP and CISO, WellPoint.

Driven by lessons learned and recommendations from the first event, the expanded CyberRX 2.0 program features progressive local-, regional- and national-level exercises that will allow more participants at all levels of maturity to join based on their type of organization, size and experience with cyber prevention and simulations:

  • Level I – Local (Basic), October 2014 – December 2014: This level offers “table-top” simulations that can be administered by an organization to evaluate their cyber threat readiness and response primarily focused on internal processes.
  • Level II – Regional (Mature), January 2015 – April 2015: This level offers qualified (prerequisite of a Level I certificate) participants a regional exercise that is more sophisticated and the opportunity to build collaboration between multiple organizations simultaneously.
  • Level III – National (Leading), June 2015 and July 2015: This level offers qualified participants (prerequisite of a Level II certificate) a comprehensive simulation to evaluate internal and external cyber threat readiness, response and crisis management. It is anticipated that approximately 50 organizations will be selected. HHS and HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) will also participate.

Participants seeking to progress to the next level of participation must obtain a certification of completion from the prior level. HITRUST will designate CyberRX observers, a list that currently includes all HITRUST CSF Assessor organizations. All organizations, directly participating or not, will also benefit from the CyberRX Exercise Playbook, a set of best practices developed in coordination with the CyberRX steering committee, HITRUST and HHS. The CyberRX 2.0 Exercise Playbook with Level I scenarios will be released on October 1, 2014.

“With healthcare organizations increasingly adopting electronic medical record systems and automating transaction processes, we are seeing more frequent and disruptive breaches in this sector. Healthcare CEOs have to recognize that effective information security management, coupled with industry-wide collaboration and education at the CISO level, are crucial,” said Fred Chang, Director of SMU Lyle’s Darwin Deason Institute for Cyber Security and Bobby B. Lyle Centennial Distinguished Chair in Cyber Security.

CyberRX is one of several important activities HITRUST is spearheading as part of a larger strategy, in collaboration with leading healthcare organizations and government agencies, to enhance industry cyber preparedness and response. These activities have been updated to reflect recommendations from CyberRX 1.0 and include:

  • Healthcare industry cyber security framework, established by enhancing the HITRUST Common Security Framework (CSF) with updates and guidance to ensure controls address emerging cyber threats while incorporating the NIST cyber security framework.
  • Monthly Cyber Threat Briefings, coordinated by HITRUST and HHS, held every month for the industry to learn about recent and emerging cyber threats.
  • HITRUST C3 enhancements to better inform and promote information sharing across the healthcare ecosystem.

Information on the CyberRX 2.0 program and registration, as well as CyberRX 1.0 findings, are available at


The Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information privacy, risk and security leaders, has established a number of programs to support any and all organizations that create, access, store or exchange personal health and financial information. HITRUST is supporting the industry through its framework, assurance program, cyber center, risk management tools, education and leadership. It is also driving the widespread confidence in the industry’s safeguarding of health information through awareness, education, advocacy and other outreach activities. For more information, visit