HITRUST Leads Anti-Hacking EffortCollaborative Effort Will Share Threat Updates, Best Practices
The Health Information Trust Alliance is spearheading an effort to create a clearinghouse of information about hacker attacks against healthcare organizations as well as best practices for addressing these threats.
Fourteen healthcare provider and payer organizations, as well as the U.S. Department of Health and Human Services, are participating in the effort, known as the HITRUST Cybersecurity Incident Response and Coordination Center.
"We see a real benefit in sharing indicators of [cybersecurity] compromises," says Kevin Charest, director and program manager at HHS' Computer Security Incident Response Center. "We fully intend to share best practices. ... The more information we share, the better off everyone will be."
Besides HHS, charter participants include health insurer WellPoint and Dignity Health, a Catholic health system. Charest expects the number of participants will grow once the center launches its initial projects.
"When dealing with cyberwarfare, the more intelligence you have and the quality of that information is key to helping protect your technology ecosystems and sensitive healthcare information," says Roy Mellinger, vice president and chief information security officer at WellPoint. "When my team can obtain more precise information, such as attacks that have specifically targeted healthcare partners or healthcare applications, it allows us to further tune our defensive mechanisms for those type of specific threats. It is tailored information that helps us find that needle in the haystack."
In addition to sharing best practices, the goals of the effort include facilitating the early identification of cybersecurity attacks and coordinating response activities, according to HITRUST. The center will gather information on attacks targeted against networks, mobile devices, workstations, servers and medical devices. And it will share information about threats with the broader industry.
In the first phase of its development, the center will "identify and implement a method to provide meaningful information to all types of organizations and technical competency levels within the entire industry," HITRUST notes.
Charest of HHS says there's "tremendous benefit in being able to validate what an organization is seeing against the broader community. It's important to know if you're being [targeted] alone or if this is a broad-based attack."
And Mellinger is hopeful that as the center matures, it will be able to provide objective forensic analysis and help the industry "to collectively raise the bar on protecting healthcare information and our operations."
Only about 7 percent of the major health information breaches reported since the HITECH Act-mandated breach notification rule took effect in September 2009 have involved hackers (see: Health Breach Tally to Pass 20 Million). But the Utah Department of Health recently experienced a hacker attack that exposed information on 780,000 individuals, the largest such attack reported so far.
Charest points out, however, that in many cases, hackers' malicious activities aren't aimed at breaching information, but, instead, are "geared toward interruption of operations. And we have to guard against that as well."
Mellinger says there's been an increase in "cyber-related attacks, pings, probes and pokes" in healthcare over the past 12 months. "Whether this increase in events and sudden interest in healthcare organizations is related to cybercrime, such as identity theft, cyber-intelligence gathering, such as intellectual property gathering, or cyberterrorism intended to disrupt, it isn't clear. What we do know is that the focus on healthcare systems, information and entities has increased - and that is why it is important to have a centralized clearinghouse for cybersecurity threats targeting our industry."
HITRUST, a not-for-profit organization, is well-suited to coordinate the cybersecurity information sharing effort because it already launched a successful collaborative effort with its Common Security Framework, Charest says. The framework is a free guide to implementing security controls to comply with various regulations, including HIPAA.