04:29 PM
Dark Reading
Dark Reading
Products and Releases

Healthcare Industry Announces Working Group To Support Cybersecurity Executive Order For Critical Infrastructure Protection

Group brings CISOs of the nations' largest healthcare organizations together with DHS, DHHS

Frisco, TX – February 20, 2013 –The Health Information Trust Alliance (HITRUST) announced today the establishment of a new working group to support the White House Cybersecurity Executive Order. Issued on February 12 by President Obama following his State of the Union address, the policy warns that "the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."

The policy orders, among other areas: cybersecurity information sharing between government and private industry entities; a baseline framework (the "Cybersecurity Framework") to reduce cyber risk leveraging existing industry frameworks and best practices; and identification of critical infrastructure at greatest risk. The policy also calls for sector-specific, voluntary programs to support the adoption of the Cybersecurity Framework.

The HITRUST Cybersecurity Working Group will initially focus on the following deliverable from the Cybersecurity Executive Order:

Baseline Framework to Reduce Cyber Risk to Critical Infrastructure

"The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks".. "and shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible." (Sec. 7)

The healthcare industry recognized more than 18 months ago the potential impact of cyber attacks and intrusions, and the need for industry collaboration with regards to cyber threat intelligence and response. Among other risk factors, the healthcare sector is vulnerable to disruption of information systems and medical devices directly responsible for patient care, as well as those involved in the manufacture and distribution of life sustaining medications and therapies.

It was also recognized that any model developed for responding to these threats would need to include effective and timely sharing of information with government. Since that time, HITRUST has worked with industry and government to create policies and systems that allow anonymity and privacy to ensure critical information is shared without liability concerns by the victim or submitting party.

The result has been a very effective model for public-private collaboration between the healthcare industry and government. The industry is now working closely with government on its existing cybersecurity efforts, including active threat intelligence, information sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).

The HITRUST C3 has a cyber threat information sharing agreement with the Department of Health and Human Services and also participates in the Department of Homeland Security (DHS) Critical Infrastructure Sharing and Coordination Program.

"There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government," said Daniel Nutkis, chief executive officer, HITRUST. "Leaders in industry and government deserve credit for recognizing the importance of this effort, and working to establish and enhance a model through the HITRUST C3 for collaboration, information sharing and threat response."

"The Department of Health and Human Services has first-hand experience that collaboration with industry can provide value to both industry and government," said Kevin Charest, chief information security officer, Department of Health and Human Services. "Our active participation in the HITRUST C3 allows us to share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return. We look forward to participating with industry in the HITRUST Cybersecurity Working Group on cybersecurity best practices."

"This is a call to action to the industry to be more engaged in ensuring we are doing everything practical to prepare for, and respond to, cyber threats," said Jon Moore, chief information security officer, Humana. "While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare."

HITRUST believes the HITRUST Common Security Framework (CSF), the most widely adopted risk-based information protection framework used by healthcare organizations, is well aligned with the controls and best practices necessary to mitigate cybersecurity risks. However, HITRUST recognizes the need for the CSF to continue to evolve to address new technologies and threats. Through the new working group, HITRUST is initiating a thorough review of each relevant control with consideration of cyber losses and risk factors. The outcome of this effort will include updates to the controls in the CSF and guidance on prioritizing implementation of these controls to reflect the associated cybersecurity risks.

For more information on the HITRUST Cybersecurity Working Group or to express interest in participating, please visit hitrustalliance.net/cyberwg.

A roundtable session to share findings and receive comments on the working group findings will convene alongside the HITRUST 2013 conference to be held May 20-22, 2013, in Dallas-Fort Worth.

Supporting Documents

· White House "Executive Order – Improving Critical Infrastructure Cybersecurity:" whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

· HITRUST Cybersecurity Working Group: hitrustalliance.net/cyberwg

· HITRUST C3: hitrustalliance.net/c3


The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.