On Deck: Healthcare Cyberthreat Updates
HHS Partnering with HITRUST to Provide Monthly BriefingsTo help the healthcare sector better understand the cybersecurity issues it faces, the Department of Health and Human Services and the HITRUST Alliance are partnering to provide monthly cyberthreat briefings.
The briefings, which will begin in April, are designed to help organizations better understand current and emerging cyberthreats and share best practices for defense and response, says a statement issued by the Health Information Trust Alliance.
HITRUST is best known for establishing the Common Security Framework, which can be used by any organization that creates, accesses, stores or exchanges personal health and financial information.
The alliance says the monthly threat briefings will be free of charge, "leveraging the resources and content created by the HITRUST C3 and U.S. Department of Health and Human Services Computer Security Incident Response Center, or HHS-CSIRC, in order to provide greater and more actionable information on recent, ongoing and prospective cyberthreats and events, as well as any lessons learned." HITRUST C3 is the alliance's Cyber Threat Intelligence and Incident Coordination Center, which provides intelligence on threats targeted at healthcare organizations and medical devices.
The 60- to 75-minute briefings are designed to help healthcare organizations of all sizes and cybersecurity maturity levels.
"Collaboration is crucial to reducing cyber threats for the entire healthcare industry, including the government," says Kevin Charest, HHS CIO. "These briefings and alerts allow us to better disseminate valuable and critical information to healthcare organizations more effectively so they can better prepare and respond to cyber threats and events."
A primary gap in the healthcare industry's ability to protect itself from cyberthreats is access to cyber-related intelligence specific to the sector, HITRUST founder and CEO Dan Nutkis tells Information Security Media Group. "This intelligence helps healthcare organizations in rapidly assessing, prioritizing and remediating risks, especially due to the unique, complex and changing nature of today's cyber-attacks in the healthcare space," he says. "Everything from medical devices, conferencing systems, Web servers, printers and edge security technologies can be exploited."
HITRUST research finds the number of cyber-attacks targeted at healthcare organizations of all types and sizes continues to increase, but many healthcare organizations have inadequate cyberthreat preparedness, he notes.
Need for Education
One CISO agrees more cybersecurity awareness and preparedness is needed in healthcare.
"Healthcare, like other industry sectors, must enhance its approach to identifying, responding and preventing cyber-attacks," says Jennings Aske, former security and privacy officer at Partners HealthCare and now CISO at software vendor Nuance. "Healthcare, in my opinion, has not taken the risk associated with cyberthreats as critically as it should. A monthly briefing, along with other vehicles, could play a role in facilitating the 'culture' changes needed to get healthcare organizations to invest in the staff, tools, and processes to reduce the risks associated with cyberthreats."
The organizations likely to benefit the most from these monthly cyberthreat briefings are "all health entities that can be considered 'large enough' to have internal IT staff responsible for managing technology/infrastructure," he says. "Smaller entities, such as a small providers office, likely will not have the knowledge to consume these briefings."
Among updates that would be most helpful to share, Aske says, is information about emerging threat agents that could be used to target common infrastructure used by healthcare organizations.
Other Efforts
The new cyberthreat briefings expand on a collaboration between HHS and HITRUST to conduct cybersecurity drills this year in the healthcare sector. Those exercises, dubbed CyberRX, will involve HHS and several large companies in the healthcare sector to test cybersecurity preparedness and attack response coordination through two mock cyber-attack exercises (see Healthcare Cybersecurity Drills Slated).
Meanwhile, the National Health Information Sharing & Analysis Center also has plans to soon announce a new healthcare sector cybersecurity intelligence initiative, says Executive Director Deborah Kobza, who declined to provide details of the effort.
NH-ISAC is one of several national ISACs in various sectors. It's not involved with HITRUST's cybersecurity efforts, Kobza says.
Aske says he's surprised that HHS is working with HITRUST, rather than NH-ISAC, to create the cyberthreat briefings.
"My former employer, Partners HealthCare, joined the NH-ISAC because we saw the value of an industry specific ISAC that also had ties to other industries. The simple fact is that the threat agents attacking healthcare are industry agnostic. All industries are attacked," he notes. "So, I am confused as to why HHS didn't partner with the NH-ISAC."
HHS officials did not respond to a request for further comment on why it's partnering with HITRUST.