Analysis: HHS' Threat Info Sharing PlanWhy Officials Are Reassessing What Approach Works Best
The Department of Health and Human Services is reassessing how its many internal agencies, and the entire healthcare sector, can boost cyberthreat intelligence sharing and analysis as more patient records are digitized and shared.
That assessment includes HHS evaluating whether it should create a new information sharing and analysis "structure" to harness the growing volume of cyber-intelligence coming from multiple sources. It's also evaluating another option: leveraging an existing organization to improve collection, analysis and dissemination of cyber-intelligence, HHS officials tell Information Security Media Group.
The recognition of the importance of cyberthreat intelligence sharing, combined with an evolving healthcare ecosystem, prompted HHS' Office of the National Coordinator for Health IT to include plans for "the establishment of an information sharing and analysis center" in ONC's federal health IT strategic plan for 2015 to 2020, which was released this week, HHS officials explain (see Federal Strategic Health Plan Issued).
That section of the strategic plan created confusion, however, because the healthcare sector already is served by the National Health-ISAC.
NH-ISAC already is working with several federal agencies, including the Food and Drug Administration, a unit of HHS, and the National Institute of Standards and Technology, on cybersecurity-related initiatives for the healthcare sector (see Ramping Up Medical Device Cybersecurity).
But HHS also works with other government and non-government entities on cyber-intelligence related activities. That includes sharing cyber-intelligence with the FBI and Department of Homeland Security, as well as conducting healthcare sector cyberdrills with the private sector's Health Information Trust Alliance, or HITRUST.
The healthcare sector has changed dramatically since ONC's last federal health IT strategic plan was issued in 2011, HHS officials point out. For instance, electronic health records are far more common, thanks to the HITECH Act financial incentive program.
With more records being digitized and exchanged, HHS wants to make sure that information about potential cyberthreats is shared in a timely way. In addition to keeping healthcare organizations of all sizes well-informed, HHS wants to ensure that its many units, including ONC, FDA, Centers for Disease Control and Prevention, Centers for Medicare and Medicaid Services, and others - are kept up to date and ready to respond to emerging cyberthreats and vulnerabilities.
"Big or small ... it's important actionable information gets to all levels of stakeholders in the health ecosystem," Julie Chua, lead information security specialist in ONC's office of the chief privacy officer, tells ISMG.
No deadline has been set for a decision about the approach HHS will take to boost cyberthreat information sharing, HHS officials say. HHS will take into consideration the public comments it receives on the federal health IT strategic plan.
Meanwhile, NH-ISAC leaders don't appear to be too concerned about the possibility that another healthcare information sharing and analysis structure could be created by federal officials that potentially could compete with its own efforts.
"As the recognized ISAC for the nation's healthcare and public health critical infrastructure ... the NH-ISAC fully supports the federal health IT strategic plan," says Deborah Kobza, NH-ISAC executive director in a statement to ISMG.
The organization has approximately 150 members, including large hospital systems that have multiple facilities, and pharmaceutical firms, NH-ISAC leaders say (see NH-ISAC Offers Cyber-Intelligence Tool).
NH-ISAC has been growing its membership, which also includes health plans, medical equipment and supplies companies, health IT and medical device makers, blood banks, and medical laboratories, Kobza says. Additionally, the organization is trying to make itself accessible to smaller healthcare entities with more limited information security budgets, she says.
"We worked closely with the health sector to define our membership model in order to ensure that all members have access to the same products and services, whether a small rural hospital or clinic, or large healthcare organizations," she says. "Membership [fees] are based a member's business structure - non-profit or for-profit, and annual revenue," as well as whether an entity is an academic institution or a state government agency, she says. "This all especially supports small health organizations with slim resources."
But some say that participation in NH-ISAC remains too costly for many organizations.
"I am not a member of the NH-ISAC. Too expensive. Five times the amount from the IT-ISAC," Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, N.J., tells ISMG. "The cost, I believe, is making healthcare entities think twice about joining, especially the medium to small entities, which really need the help."
Still, the possibility of the healthcare sector having a new ISAC led by HHS isn't the best alternative, either, he argues. "I believe the ISAC needs to be a non-government entity as they would have the flexibility and speed to respond to incidents," he says. "People would also trust their information would not be used against them in a type of investigation. Either HITRUST or the current NH-ISAC - with reduced pricing - would be the best organization to develop the process. The healthcare industry definitely needs to catch up."
As for HITRUST, the organization "plans to continue to collaborate with HHS and hopes the revised sharing approach will simplify, streamline and allow greater resources be made available to support industry and cyber threat sharing organizations, like HITRUST Cyber Threat Intelligence and Incident Response Center (C3)," says Daniel Nutkis, HITRUST CEO.
HITRUST is best known for establishing the Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.
"HHS has communicated its intention to better align and coordinate federal resources in support of industry's cyber preparedness and response, and if the HHS ISAC is the vehicle to accomplish that, we applaud HHS for addressing this growing concern and welcome the opportunity to collaborate with the many policy advisors," Nutkis says.
Curran says that whatever model HHS chooses to support, it's vital that the healthcare sector improve cyber-information sharing, and make it wider-reaching. Many healthcare sector entities are struggling to deal with emerging threats as well as current challenges, including the POODLE flaw and wiper malware, as well as insider threats, Curran notes.
"We absolutely need to do a better job in cyber-intelligence sharing," Curran says. "We need to be as inclusive as we can. The more information we have, the better prepared and the better our response."