Why Healthcare Needs to Standardize Threat Info SharingHarris Health System CISO Jeffrey Vinson Discusses Research Findings
Cyber threat information sharing in the healthcare sector urgently needs to be standardized so organizations can take appropriate action based on the intelligence, says Jeffrey Vinson, CISO of Harris Health System.
That's one of the conclusions of the health system's ongoing research funded by the U.S. Department of Health and Human Services, Vinson says in an interview with Information Security Media Group.
A national survey that Harris conducted confirmed that while many healthcare organizations are using cyber threat information sharing methods, they're getting relatively little value from it. "The platforms are there, [but] they are not mature, and they're not standardized so that [healthcare organizations] can get true actionable intelligence from the information that is coming to them," he explains.
"So what we identified as initial gaps is that we need to standardize what's being sent to the organizations. We need more organizations to participate [by] sharing the information that's out there. We [also] have ... resource challenges when it comes to digesting this information and learning how to use this information to better protect their organizations."
After completing a survey to identify cyber threat information sharing gaps, Harris Health System is now wrapping up a second survey on "capacity planning" - or what information is needed by healthcare organizations.
"With healthcare being under attack last year in some of the largest breaches ever, we are not as mature as we should be when compared with other sectors," Vinson notes.
New HHS Initiative
HHS recently announced plans to award up to $1.75 million in grants to an information sharing and analysis organization that will take a lead role in improving the exchange of cyber threat information.
Harris Health System is applying for the new grants, Vinson acknowledges. Among those that it will be competing against is the National Health Information Sharing and Analysis Center, which already helps to facilitate cyber threat information sharing in the healthcare sector.
In the interview (see audio player below photo), Vinson also discusses:
- His assessment of how well-equipped the healthcare sector is to address the surge of cyberattacks, including ransomware assaults;
- Areas of improvement needed to better respond to ransomware attacks;
- Why many healthcare organizations focus too heavily on "checking boxes" in their compliance efforts rather than addressing broader cybersecurity issues.
Vinson is vice president and CISO at Harris Health System, which includes 23 community health centers and several hospitals. He has more than 20 years of information security leadership experience, including work in the military, financial services and healthcare sectors, as well as the federal government. He previously worked as a technical director at the National Security Agency. Vinson led penetration testing exercises while working at NSA, and he has created security operations teams for financial services and healthcare organizations.