HHS to Fund a Cyber Threat Information Sharing LeaderAfter Years Without an Official Coordinator, One Organization Will Get Grant Support
(This story has been updated.)
The Department of Health and Human Services will soon issue up to $1.75 million in grants to give a boost to just one organization that will take a lead role in cyber threat information sharing. A top priority of the ramped-up effort to help fight cyberattacks in the healthcare sector is to keep smaller organizations better informed of the latest risks.
"Establishing robust threat information sharing infrastructure and capability within the healthcare and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system," said Karen DeSalvo, M.D., who heads HHS' Office of the National Coordinator for Health IT. "This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information."
The grants will support one information and sharing analysis organization, or ISAO, that has bi-directional capability to improve the exchange of cyber threat information with HHS and throughout the healthcare sector.
At least two cyber threat information sharing organizations - the National Health Information Sharing and Analysis Center, or NH-ISAC, and the Healthcare Information Trust Alliance - already serve the healthcare sector. Some observers, however, say efforts by both of these organizations so far have come up short when it comes to keeping smaller organizations well-informed.
NH-ISAC tells Information Security Media Group it plans to apply for the funding. HITRUST, however, hasn't yet decided whether it will apply for the grants, says CEO Dan Nutkis.
While the HHS funding opportunity is open only to organizations that already have an infrastructure and provide cyber information sharing, some observers say NH-ISAC and HITRUST aren't the only potential candidates to compete for the grants.
"This is a government grant, so any not-for-profit can throw its hat in the ring and vie for the grant," says Mac McMillan, CEO of the security consulting firm CynergisTek. "The encouraging thing is that the NH-ISAC has been re-energized of late under [new president] Denise Anderson's leadership, and with the support of College of Healthcare Information Management Executives and other key healthcare organizations, it appears to be on course to join its counterparts in finance and other sectors where the ISAC is a real asset," he says.
"You'll find that whoever gets this grant will be required to develop a system to reach all sectors within healthcare by the government who always has its eye on the smaller provider, not just the big players who frankly can do this for themselves if they wanted to."
Many areas in cyber threat information sharing need improvement in the healthcare sector, McMillan contends. That includes, for example, "having an effective clearinghouse for where the information comes from and is vetted, having an effective mechanism or mechanisms for dissemination, formal cross-entity collaboration processes, etc."
An ONC spokesman tells ISMG: "We encourage every eligible organization to submit applications after which [HHS] will review them to select an ISAO for the healthcare and public health sector."
How Grants Will Be Awarded
ONC and the HHS Office of the Assistant Secretary for Preparedness and Response on July 25 announced two cooperative agreement funding opportunities. The combined funding for an ISAO in the first year will be worth $250,000, but the grant could be renewed for up to five years. ASPR and ONC are issuing separate funding opportunity announcements with scopes of work specific to each funding source, HHS notes. August 25 is the deadline to apply for the funding.
The development of an ISAO for healthcare was called for by the Obama administration under an executive order signed into law in February 2015, as well as in the Cybersecurity Information Sharing Act signed into law last November.
HHS says the grant funding will help expand the "bi-directional information sharing" and outreach of a currently functioning organization to include HHS and the entire public healthcare and healthcare sector. The grants, however, are "not intended to fund the awardee's entire operation," HHS says.
The organization receiving the grants will:
- Provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector;
- Expand outreach and education activities to ensure that information about cybersecurity awareness is available to the entire healthcare and public health sector;
- Equip stakeholders to take action in response to cyber threat information:
- Facilitate information sharing widely within the healthcare and public health sector, regardless of the size of the organization.
The NH-ISAC has already been working with HHS and others in the healthcare sector in sharing cyber information, notes Anderson, its new president. "The NH-ISAC recognizes the need for the healthcare and public health sector to receive information and education about threats more broadly as some of the smaller sector stakeholders are the most vulnerable. Many of our board members believe it is their mission to help out the more vulnerable organizations within the sector and that a rising tide floats all boats."
HITRUST, which already is a federally recognized ISAO in the healthcare sector, says in a statement provided to ISMG: "We have published numerous progress reports on the effectiveness of cyber information sharing within the healthcare industry and the efforts HITRUST, through our Cyber Threat Xchange [service], has taken and has planned to undertake to address and advance cyber information sharing in the industry. With that said, there is always room for more to be done."
The HHS grants are trying to make it more affordable for smaller public health and private healthcare entities to tap into cyber information sharing services, HITRUST notes.
"For over two years, HITRUST has provided access to the HITRUST CTX free of charge for any healthcare organization regardless of size," says HITRUST CEO Nutkis. "This includes access to both industry and government indicator of compromise feeds and detailed threat reports.
In addition, HITRUST has held free monthly cyber threat briefings in partnership with the Department of Homeland Security to educate individuals on emerging cyber threats and preventive measures, he notes.
"It should be no surprise that smaller healthcare organizations have challenges given the available resources both financial and technical given their larger counter parts, and HITRUST has been actively studying the challenges these organizations have with regards to implementing appropriate security controls including those to effectively defend and respond to cyber threats," Nutkis says. "We intend to expand our capabilities in the very near future to better address these needs."
Threat Info Sharing Lacking
Harris Health System, which was awarded a one-year, $150,000 HHS grant to help identify ways to share cyber threat information, will release its final report from that study by Sept. 30, says Jeffrey Vinson, CISO at the system.
The organization briefed HHS in March on some of the preliminary results of the first part of its study. "We discovered the healthcare sector wants to be able to share cyber threat information but doesn't currently have a way to do it, which isn't shocking," he says.
Vinson says he's not certain whether Harris will apply for the latest grant opportunity, "but given our knowledge and work in this area it would make sense if we did apply for a new grant."
Bolstering cyber information sharing in the healthcare sector is critical, Vinson says. "Cyber threat information is extremely important to the healthcare sector and public health because the industry lags behind the other industries when it comes to robust cybersecurity, and last year healthcare was under heavy attack," he says.
"Not many of us in the healthcare sector even understand how these organizations were breached, so we have no idea how to better protect ourselves from these attacks."