HITRUST and U.S. Department of Health and Human Services to Expand Industry Cyber Threat Preparedness and Education Efforts
“Government and industry cooperation and coordination are key to effectively and efficiently preparing the industry for cyber attacks,” said Dr. Earl Motzer, Co-Chair of the Healthcare Sector Coordinating Council established under the National Infrastructure Protection Plan (NIPP). “Availability of this information is a positive step in the industry’s cyber threat preparedness.”
The number of cyber attacks targeted at healthcare industry organizations of all types and sizes continues to increase, while research indicates that most healthcare organizations are not adequately addressing cyber threat preparedness and response. The unique, complex and ever changing aspects and complexities associated with cyber threats appear to have created challenges for many organizations to rapidly and effectively remediate. Some primary gaps include access to cyber-related intelligence specific toward healthcare organizations to aid in assessing and prioritizing threats and risks, better education on how to consume and react to cyber threat information and support for establishing their cyber incident response capability.
An analysis of HITRUST Common Security Framework (CSF) assessments performed over the last year indicates progress has been made in every information security control area across various segments and organizational sizes, although the most progress with regard to cyber security appears to be in larger organizations with annual revenues over $6 billion.
“Collaboration is crucial to reducing cyber threats for the entire healthcare industry, including the government,” said Kevin Charest, Chief Information Security Officer, U.S. Department of Health and Human Services. “These briefings and alerts allow us to better disseminate valuable and critical information to healthcare organizations more effectively so they can better prepare and respond to cyber threats and events.”
“Even with our size and level of our information security program’s maturity, I recognize that participating in a functional information sharing and analysis organization, like HITRUST C3, is key to ensuring we have access to the latest and most accurate threat intelligence,” said Roy Mellinger, Vice President and Chief Information Security Officer, WellPoint, Inc. “I also recognize that we need to make sure every organization in healthcare has access to cyber threat alerts, analysis and best practice information to better protect the entire healthcare industry.”
The health industry’s monthly threat briefings will be free of charge, leveraging the resources and content created by the HITRUST C3 and U.S. Department of Health and Human Services Computer Security Incident Response Center (HHS-CSIRC), in order to provide greater and more actionable information on recent, ongoing and prospective cyber threats and events, as well as any lessons learned. The briefings are intended to support healthcare organizations of all sizes as well as cyber-security maturity levels. The briefings begin in April 2014 and will be held online, lasting 60 – 75 minutes. In addition, the material presented will be made available to those registered. The C3 Alerts, free of charge, will be issued anytime HITRUST C3 identifies a present and immediate cyber-threat relevant to a large number of healthcare organizations, medical devices or systems.
“Having access to alerts, threat intelligence and lessons learned that are relevant to our organization is important, as it helps ensure that we will maximize our efforts in addressing cyber threats. Information protection is a priority for our organization, but we need to be as efficient as possible in doing so,” explained Aaron Miri, Chief Technology Officer, Children’s Medical Center of Dallas. “The sharing of threat intelligence and best practices will aid the industry and help raise the maturity level of the entire industry by allowing all organizations, small and large, to have access to vital cyber threat and best practices through the industry’s information sharing and analysis organization, HITRUST C3.”
Recognizing the growing threats posed by cyber attacks targeted at healthcare organizations, over two years ago, HITRUST established a fully functional cyber-threat intelligence and response capability to protect the U.S. healthcare industry from disruption by these attacks. The HITRUST C3 is the single best source of intelligence on threats targeted at healthcare organizations, systems and medical devices, providing actionable information for strategic planning, tactical preparedness and coordinated responses for both small and large organizations. The center facilitates critical intelligence sharing with industry organizations, the Department of Homeland Security and U.S. Department of Health and Human Services.
“The healthcare industry now has access to many resources in order to prepare and respond to cyber threats and events, such as the C3 monthly briefings, C3 alerts, C3 threat intelligence and incident coordination and the CSF,” said Daniel Nutkis, CEO, HITRUST. “HITRUST will continue working with the U.S. Department of Health and Human Services and HPH Sector Coordinating Council to aid organizations in using these tools to reduce the risk of cyber-related events.”
Recently, HITRUST released version 6 of the CSF, the most widely-adopted security control framework in the U.S. healthcare industry, with updates to CSF controls, control mappings and prescriptive guidance based on an analysis of the SANS Critical Security Controls for Effective Cyber Defense, cyber-related breach data and the NIST Cyber Security Framework. This allows healthcare organizations of all types and sizes to have one risk management framework for the protection of health information that contains the requirements and guidance relevant to the healthcare industry.
Most recently, HITRUST, in coordination with the U.S. Department of Health and Human Services, announced plans for the CyberRX exercises in 2014. The exercises will examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the healthcare industry.