search menu icon-carat-right cmu-wordmark

CERT Program Drafts Operational Guide and Hosts Symposium to Spur Better Health Information Exchange System Resilience

CERT Program Drafts Operational Guide and Hosts Symposium to Spur Better Health Information Exchange System Resilience
May 15, 2013 • Announcement

May 15, 2013—The advent of digital medical record keeping has enabled numerous opportunities for improved and more consistent patient care. Health information exchanges (HIE) represent one such advancement. HIEs enable disparate health care information systems to easily and effectively share digital patient and healthcare information. Their ultimate goal is to provide accurate, timely, and equitable patient care by eliminating the need to rely on slower, more error-prone methods of information exchange, such as telephone, fax, and email. However, the emergence of HIEs has shed light on a number of cybersecurity challenges healthcare providers must address. Cybersecurity incident management is key among them.

With its long history in the field of incident management and resilience, the SEI's CERT Program is well positioned to help HIEs build a cybersecurity incident response capability. To launch this effort, SEI CERT Program researchers have drafted a guide to enable health information exchanges (HIEs) to remain resilient during cybersecurity incidents and disruptions. Developed in response to a request from the Department of Health and Human Services Office of the National Coordinator, the guide addresses the need for maintaining continuity and security in the midst of increasing cyber threats and other disruptions.

The seven-chapter guide is based on the "Service Continuity" process area of the CERT Resilience Management Model (CERT-RMM), a capability model for operational resilience management. "We tailored the information in the CERT-RMM specifically for HIEs," said Sam Merrell, member of the CERT Program engineering staff and leader for the project. "Our team includes people from the CERT Program, who understand cyber security and resilience, as well as representatives from industry, who understand how HIEs work. By bringing together our strengths in both areas, we were able to create a guide that is very specific and very useful for HIEs."

The guide recommends seven activities that range from creating plans for dealing with disruptions to testing and maintaining those plans. The guide also addresses the role of healthcare-specific laws and regulations in relation to maintaining resilience. "HIEs are faced with the same threats and disruptions that affect other organizations, but they also have to navigate those disruptions with HIPAA, state-specific regulations, and other legal considerations in mind. This guide covers those considerations," said Merrell.

Next steps for the guide include a review by subject matter experts. To facilitate this review, CERT will host the CERT Symposium on Cyber Security Incident Management for Health Information Exchanges, which will be held in Pittsburgh on June 26. The symposium will take place at Carnegie Mellon University's Posner Center in Pittsburgh, Pa. The Department of Health and Human Services, whose initial request led to the creation of the resilience guide for health information exchanges, is the symposium's primary sponsor.

Bringing together representatives from a range of health information exchanges (HIEs), the symposium will provide an opportunity to discuss the cyber security challenges facing HIEs and will contribute to improving the overall state of practice. The symposium will also feature presentations by selected experts on topics such as

  • HIPAA compliance during a cybersecurity incident
  • cyber incident reporting and communications
  • cyber security service level agreements in HIEs
  • legal considerations for HIEs when managing a cybersecurity incident
  • continuity and how HIEs can support providers' incident management practices

The symposium's featured speakers include the following: Alexandra (Alix) Goss, Health Information Technology Coordinator for the Commonwealth of Pennsylvania; Lee Kim, an attorney at Tucker Arensberg, P.C. whose practice areas include healthcare technology, information technology, privacy and security, and intellectual property; Greg Porter, founder of Allegheny Digital, an information security company specializing in managed security services, information security risk management and incident response for the health care industry; and Matthew Butkovic, portfolio manager of Infrastructure Resilience in the SEI's CERT Program.

For more information about the CERT Symposium on Cyber Security Incident Management for Health Information Exchanges, please visit the symposium website:

To register for the symposium, please visit