HHS Collaborates on CybersecurityEffort to Carry Out President's Executive Order
As part of efforts to bolster national cybersecurity, the Department of Health and Human Services is collaborating with healthcare industry groups in sharing information about threats, vulnerabilities and remedies, says Kevin Charest, HHS' chief information security officer.
Among groups with which HHS has begun working is the Health Information Trust Alliance, which recently formed a new working group to support the efforts of President Obama's recent cybersecurity executive order. HITRUST is best known for its Common Security Framework, a free guide to implementing security controls to comply with various regulations, including HIPAA.
"We are acting as subject matter experts as the group forms," says Charest of HHS' collaboration with HITRUST.
Earlier this month, Obama signed a long-awaited executive order directing the U.S. federal government to share cyberthreat information with critical infrastructure owners. The order also requires the government to work with business to develop IT security best practices that infrastructure owners could voluntarily adopt (see: Obama Issues Cybersecurity Executive Order).
In addition to HITRUST, HHS will collaborate with other industry groups and organizations that express interest in sharing and disseminating information regarding threats and best practices to deal with them.
"We're not picking winners or losers," says Charest of HHS' participation in the new HITRUST working group. "We're sharing information across a broad spectrum."
That includes sharing information with the healthcare sector about emerging cyber-attackers and issuing advisories on how to protect against those threats, he says. "If we get wind of new phishing capabilities, and new actions to take against those vulnerabilities, that could be shared," he says.
Among other groups that collaborate on cybersecurity related matters with HHS is the National Health Information Sharing and Analysis Center, he says (see: Addressing Cybersecurity in a Disaster). The center is one of the nation's 18 ISACs that are supporting national critical infrastructure protection.
HHS also encourages the sharing of cybersecurity information among healthcare organizations and other industry players in the private sector. "If we keep this in silos, no one benefits," he says.
Of the thousands of healthcare providers in the U.S., many lack the resources to proactively address emerging security issues, so sharing information can help, he says. "In areas that folks don't have the resources to build out [on their own], this can inform them ... like a public service announcement campaign," he says.
Information from HHS about cyberthreats is also available through the HHS' Assistant Security for Preparedness and Response's ASPR portal, he says.
Among cyberthreats that healthcare organizations need to watch for are "adversaries looking to commit identity theft, cause mayhem or gain access to intellectual property," Charest says.
In addition, cyber-attacks can potentially pose more dangerous threats, from preventing clinicians from accessing and sharing patient data to impacting the performance of medical devices and equipment used in patient care.
Preventing those kinds threats "requires proper 'care and feeding,' from using antiviral software to two-factor authentication," he says.
Although most large health data breaches reported to HHS so far have involved the loss or theft of unencrypted computing devices or unauthorized access involving insiders, Charest suspects that incidents involving outside attackers are more common than the breach statistics show. "Chances are that [intrusion by outsiders] are found and dealt with" by healthcare organizations with little public disruption or notice, he says.
The ultimate goal of the information sharing between the U.S. government and private sector "is to improve the cybersecurity of the U.S, which is in the best interest of the government and healthcare [industry]," he says.