04:29 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Healthcare Industry Announces Working Group To Support Cybersecurity Executive Order For Critical Infrastructure Protection

Group brings CISOs of the nations' largest healthcare organizations together with DHS, DHHS

Frisco, TX – February 20, 2013 –The Health Information Trust Alliance (HITRUST) announced today the establishment of a new working group to support the White House Cybersecurity Executive Order. Issued on February 12 by President Obama following his State of the Union address, the policy warns that "the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."

The policy orders, among other areas: cybersecurity information sharing between government and private industry entities; a baseline framework (the "Cybersecurity Framework") to reduce cyber risk leveraging existing industry frameworks and best practices; and identification of critical infrastructure at greatest risk. The policy also calls for sector-specific, voluntary programs to support the adoption of the Cybersecurity Framework.

The HITRUST Cybersecurity Working Group will initially focus on the following deliverable from the Cybersecurity Executive Order:

Baseline Framework to Reduce Cyber Risk to Critical Infrastructure

"The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks".. "and shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible." (Sec. 7)

The healthcare industry recognized more than 18 months ago the potential impact of cyber attacks and intrusions, and the need for industry collaboration with regards to cyber threat intelligence and response. Among other risk factors, the healthcare sector is vulnerable to disruption of information systems and medical devices directly responsible for patient care, as well as those involved in the manufacture and distribution of life sustaining medications and therapies.

It was also recognized that any model developed for responding to these threats would need to include effective and timely sharing of information with government. Since that time, HITRUST has worked with industry and government to create policies and systems that allow anonymity and privacy to ensure critical information is shared without liability concerns by the victim or submitting party.

The result has been a very effective model for public-private collaboration between the healthcare industry and government. The industry is now working closely with government on its existing cybersecurity efforts, including active threat intelligence, information sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).

The HITRUST C3 has a cyber threat information sharing agreement with the Department of Health and Human Services and also participates in the Department of Homeland Security (DHS) Critical Infrastructure Sharing and Coordination Program.

"There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government," said Daniel Nutkis, chief executive officer, HITRUST. "Leaders in industry and government deserve credit for recognizing the importance of this effort, and working to establish and enhance a model through the HITRUST C3 for collaboration, information sharing and threat response."

"The Department of Health and Human Services has first-hand experience that collaboration with industry can provide value to both industry and government," said Kevin Charest, chief information security officer, Department of Health and Human Services. "Our active participation in the HITRUST C3 allows us to share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return. We look forward to participating with industry in the HITRUST Cybersecurity Working Group on cybersecurity best practices."

"This is a call to action to the industry to be more engaged in ensuring we are doing everything practical to prepare for, and respond to, cyber threats," said Jon Moore, chief information security officer, Humana. "While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare."

HITRUST believes the HITRUST Common Security Framework (CSF), the most widely adopted risk-based information protection framework used by healthcare organizations, is well aligned with the controls and best practices necessary to mitigate cybersecurity risks. However, HITRUST recognizes the need for the CSF to continue to evolve to address new technologies and threats. Through the new working group, HITRUST is initiating a thorough review of each relevant control with consideration of cyber losses and risk factors. The outcome of this effort will include updates to the controls in the CSF and guidance on prioritizing implementation of these controls to reflect the associated cybersecurity risks.

For more information on the HITRUST Cybersecurity Working Group or to express interest in participating, please visit hitrustalliance.net/cyberwg.

A roundtable session to share findings and receive comments on the working group findings will convene alongside the HITRUST 2013 conference to be held May 20-22, 2013, in Dallas-Fort Worth.

Supporting Documents

· White House "Executive Order – Improving Critical Infrastructure Cybersecurity:" whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

· HITRUST Cybersecurity Working Group: hitrustalliance.net/cyberwg

· HITRUST C3: hitrustalliance.net/c3


The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.