Anti-Hacking Initiative: Will It Succeed?Collaborators Have Big Plans for Addressing Threats
Information sharing can play a key role in thwarting hacker attacks that potentially target more than one healthcare organization. That's why it's good news to learn of a new effort to create a clearinghouse for sharing attack information and developing best practices to thwart hackers (see: HITRUST Leads Anti-Hacking Effort).
On paper, the Health Information Trust Alliance's new Cybersecurity Incident Response and Coordination Center is an excellent, timely concept. I'm hopeful the collaborators involved will work closely together to achieve their lofty goals.
It's important to know if you're being targeted alone or if this is a broad-based attack.
Charter participants include 14 healthcare provider and payer organizations, as well as the U.S. Department of Health and Human Services. It's particularly good news that HHS is involved, because it already has experience in sharing cyberthreat information among its many units through its own Computer Security Incident Response Center, and it can share important lessons learned.
In addition to sharing best practices, the goals of the effort include facilitating the early identification of cybersecurity attacks and coordinating response activities, according to HITRUST. The center eventually will share information about threats with the broader healthcare industry.
Putting Attacks in Context
Kevin Charest, director and program manager at HHS' Computer Security Incident Response Center, says there's "tremendous benefit in being able to validate what an organization is seeing against the broader community. It's important to know if you're being [targeted] alone or if this is a broad-based attack."
Roy Mellinger, chief information security officer at WellPoint, a health insurer that's a charter participant, is hopeful that as the center matures, it will be able to provide objective forensic analysis and help the industry "to collectively raise the bar on protecting healthcare information and our operations."
I recently reported about a similar effort by the Consortium for Advancement of Security on the Internet, which involves eight major IT players. That group has developed a free framework designed to make it easier to exchange information about security vulnerabilities.
Mellinger points out: "There's an old saying: 'Intelligence wins wars.'" That's why he's so supportive of healthcare organizations working together to gather and share information on hacker attacks. He says that there's been an increase in "cyber-related attacks, pings, probes and pokes" in healthcare over the past 12 months.
Only about 7 percent of the major health information breaches reported since the HITECH Act-mandated breach notification rule took effect in September 2009 have involved hackers (see: Health Breach Tally to Pass 20 Million). But the Utah Department of Health recently experienced a hacker attack that exposed information on 780,000 individuals, the largest such attack reported so far.
Charest points out, however, that in many cases, hackers' malicious activities aren't aimed at breaching information, but, instead, are "geared toward interruption of operations. And we have to guard against that as well."
Let's hope that the new HITRUST Cybersecurity Incident Response and Coordination Center evolves into an effective effort to help thwart hacktivists and cyberthieves.