Vulnerabilities / Threats // Advanced Threats
8/22/2014
03:50 PM
50%
50%

Healthcare Industry, Feds Talk Information Sharing

Representatives from the healthcare industry as well as government discuss importance of threat intelligence-sharing in light of the Community Health Systems breach.

When Community Health Systems admitted it had been breached in April and June in a filing with the Securities Exchange Commission (SEC), it shined a spotlight on cybersecurity in the healthcare industry.

In the days since, reports have surfaced linking the incident to the Heartbleed vulnerability. As the details have trickled out, inside the industry the focus has been on getting information about the incident that could be used to prevent any similar attacks.

In its Monthly Cyber Threat Briefing, the Health Information Trust Alliance (HITRUST) and representatives from the FBI, Department of Homeland Security (DHS), Department of Health and Human Services (HHS), and healthcare company WellPoint to discuss the security challenges that are facing the industry and the importance of information sharing.

Many of the organizations that reached out in the aftermath of the revelation of the Community Health Systems breach wanted to know not only what happened, but also how they could communicate internally with their organization about the attack and mitigate any risks, Dan Mutkis, CEO of HITRUST explains in the briefing.

"Given the information we had [at the time], it was very difficult for us to provide that," he says.

FBI Supervisory Special Agent Michael Rosanova notes that the FBI sometimes has a difficult time sharing classified information about cyber attacks, adding that interacting with the private sector this way is relatively new to the FBI.

"Having spent nearly 20 years working both criminal cases and national security … [information sharing] was a one-way street, and now we're realizing as an organization that it's a partnership," he says in the briefing. "It's 50/50. And we're now understanding that we have to build that bridge and make that a strong … partnership, and we're trying to determine how best to do that, while also maintaining the integrity of the intelligence that we have.

"If we have information that needs to get to you, we'll do the best we can to get it to you as expeditiously as possible," says Rosanova.

Jason Lay, senior threat analyst and manager for cyber threat information at HHS, echoed Rosanova's comments, stating that HHS was constantly looking for ways to refine the procedures for interacting with the private sector.

That may very well be good news for the healthcare industry, which increasingly has been the target of attacks. According to Websense, there has been a significant global spike in malicious activity attempted against hospitals beginning in October 2013. August 2014 has seen a 600 percent increase in such activity, compared to the average amount prior to October, according to the firm.

"Healthcare professionals also have an increased tendency to try and get around IT security policy in order to better serve their patients," Charles Renert, vice president at Websense Security Labs, says in an email. "The stakes couldn’t be higher. When a doctor or nurse needs access to computing resources or data because a patient’s health is at risk, IT policy takes a back seat in the heat of the moment and can lead to increased risk to cyber threats or insecure access and storage of sensitive information."

The industry has a large footprint for exposure compared to other industries, due to the amount of information sharing that has to go on between everyone from physicians, clinics, pharmacies, and other parties, notes WellPoint CISO Roy Mellinger in the HITRUST briefing.

"It really is an interesting time, I think, to be a healthcare CISO or the person responsible for security in healthcare," says Mellinger. "It doesn’t matter if you’re an insurer or a payer, if you're a hospital or a provider, or a device manufacturer. We're all in this together."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8148
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157
Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158
Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571
Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572
Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.