Products & Releases

Healthcare Organizations Lack Tools for Cyber Situational Awareness and Threat Assessment

HITRUST Transforms Model for Effective Cyber Risk Management

Frisco, TX – March 4, 2015 – The Health Information Trust Alliance (HITRUST) has completed a three-month review of its approach to cyber risk management for the healthcare industry. The effort was focused on understanding the challenges of healthcare organizations across varying levels of information protection maturity. The review also focused on identifying approaches and solutions to effectively and practically mitigate and defend against cyber threats and risks. The analysis uncovered a constant theme: that today’s approach to cybersecurity is predominantly reactive and, for the vast majority of organizations, inefficient and labor-intensive.

The analysis also illuminated the fact that, although organizations are increasingly utilizing threat indicators and other threat intelligence, they are doing so without understanding the relevance to their organization. In addition, most organizations are still unable to understand the effectiveness of deployed information security products, especially in relation to emerging cyber threats.

In response, HITRUST announced today a new component of its cyber risk strategy. HITRUST CyberVision is the first real-time situational awareness and threat assessment tool tailored to the healthcare industry.

Specific findings from the review include:

·       Organizations consistently identified a lack of awareness of emerging cyber threats, especially previously unseen attacks, as a key concern. Organizations almost universally acknowledged they had minimal understanding as to the impact of cyber threats on their current cyber security products and the unique applications, systems and devices they protect. This lack of awareness leads many organizations to expend resources and rely heavily on indicators of compromise (IOCs) to determine if a breach or other suspicious cyber activity has already occurred while simultaneously updating rules and policies to block the IOCs. Although valuable, this approach is retrospective in nature and introduces inefficiencies.

·       Organizations lack understanding as to the effectiveness of the multitude of products deployed in their environments and lack the ability to communicate, especially to senior management, the effectiveness of their security measures against the probable cyber threat landscape. 

The review concluded that, to enable a better understanding of the emerging threat landscape and the impact on organizational-specific cyber security defenses, a new approach needs to be deployed and new tools developed. This fundamental shift requires a more proactive model where organizations have real-time situational awareness or insights into emerging cyber threats. The shift also requires the ability to understand the impact of emerging threats on an organization’s specific environment, including layered information security products deployed with custom configurations, as well as industry-specific applications, such as electronic health records (EHRs). This new approach allows organizations to assess the cyber threats relevant to their unique environment down to the applications and system level, so they can use their resources to mitigate the one-to-two percent of the cyber threats that are relevant rather than chasing the 98 percent that aren’t.

“Although we have made good progress in maturing our cyber risk management approach for industry, with significant improvements in information sharing, the real opportunity is to understand the emerging threats and model them against organization-specific defenses, configurations and applications,” said Daniel Nutkis, chief executive officer, HITRUST. “HITRUST CyberVision will also allow us to better engage with the vendor community to improve product effectiveness.”


Key Requirements for Real-Time Cyber Situational Awareness and Effective Threat Assessment

HITRUST established a comprehensive set of requirements for a service that would address the needs of industry and augment the current reactive approaches with one of proactive insights, by delivering key capabilities:

1.    Visibility into an extensive degree of current and emerging cyber threats, including previous unseen.

2.    Ability to evaluate the impact of these cyber threats against the actual security products -  network, server and end point - currently installed in an organization’s environment

3.    Ability to implement multiple configurations per security product and evaluate against default and various tuned configurations, including organization-specific configurations and unique applications.

4.    Ability to evaluate the effectives of various combinations of multiple security products and benchmark over time.

5.    Ability to evaluate and assess the risks within minutes of identifying the cyber threat and notifying those affected, based on the products and applications they have deployed.

6.    Ability to incorporate healthcare-specific applications, such as EHRs, computer control applications for medical devices, and organization-specific applications into the evaluation.

7.    Ability to create best practices product configurations including by application.

8.    Ability to feed threat intelligence and knowledge about which threats are bypassing current countermeasures and security products into the HITRUST Cyber Threat Exchange, allowing for prioritization of resources.


HITRUST CyberVision Enhances Effective Cyber Risk Management

HITRUST met with information security leaders, technology companies, researchers and other thought leaders to identify possible partners and approaches to address these needs. After a detailed analysis, HITRUST has partnered with NSS Labs, the leader in cyber security research and testing, to deliver key capabilities for the HITRUST CyberVision service.

“NSS is pleased to provide the technology powering HITRUST CyberVision. In order to accurately test the world’s leading security products, NSS developed the unique real-time capability of determining which exploits cyber threat actors are using, and more importantly which bypass security products. With HITRUST we are extending our technology to cover healthcare-specific systems and applications,” said Vikram Phatak, chief executive officer, NSS Labs.

Last year, HITRUST announced the Cyber Threat XChange (CTX) in order to overcome the obstacles for organizations unable to consume and take action on the threat indicators that HITRUST was distributing through its cyber center. The CTX takes this process one step further by automating and simplifying the exchange of IOCs and making them actionable and consumable. Now HITRUST CyberVision makes the HITRUST CTX even more efficient as it can automatically notify healthcare organizations and information security vendors of the emerging cyber threats for which a counter measure is not available, before the exploit has been weaponized.

CyberVision also enhances the effectiveness of the other HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) programs including the Monthly Threat Briefings and the CyberRX attack simulation exercise series. By adding situational awareness and threat assessment capabilities to the HITRUST C3, organizations now have the needed tools for effective Cyber Risk Management.


Industry Support

”HITRUST CyberVision is positioned to drastically improve the situational awareness relating to cyber threats specific to each organization’s environment, and allow more strategic and proactive approaches,” said Cris Ewell, chief information security officer, Seattle Children’s Hospital. “Small and large organizations can then integrate the information into their information security risk program to see real benefits.”

“The current model of cyber defense relies heavily on a retrospective approach, utilizing IOCs to determine if a breach has already occurred while blocking them from coming in possibly again, which does not focus resources on high priority gaps,” said Jeff Schilling, chief security officer, FireHost.

“Approaching your security posture with prevention as a key priority can make it extremely difficult for adversaries to compromise your organization. Applying analysis and automation capabilities, sharing threat intelligence and treating cybersecurity like a continuous and evolving process – not something that you do once and walk away – are good practices that can help healthcare organizations’ more proactively prevent and protect against cyber threats,” said Rick Howard, CSO at Palo Alto Networks.

“We get our annual flu shot to protect against viruses that may or may not impact us. In security, we apply products like vaccines, to achieve defense in depth protection against unknown attacks. With this service, HITRUST takes it one step further," said Wael Mohamed, chief operating officer, Trend Micro. “HITRUST will help healthcare organizations understand if they are being targeted and if their systems are prepared to defend against the attack. It is like personalized medicine for our enterprise networks and we are pleased to be part of this visionary approach to cybersecurity.”

“Fortinet supports HITRUST’s initiative to be more proactive when it comes to detection and assessment of zero day and other previously unknown exploits within the Healthcare Industry. The security industry as a whole spends too much money marketing the next gimmick and not enough resources testing the effectiveness of their products with organizations such as NSS, “ said John Maddison, vice president of marketing and products, Fortinet. "We welcome the chance to take part and contribute in this initiative.“

HITRUST has also been invited to testify at the House Committee on Government Reform, Subcommittee on Information Technology hearing titled “Cybersecurity: The Evolving Nature of the Cyber Threat Facing the Private Sector" on Thursday, March 5th. HITRUST looks forward to discussing this new capability and to present its new model for cybersecurity risk management with Chairman Hurd and Congressional leaders. To read the testimony and watch the live broadcasting visit:



HITRUST expects to have the CyberVision service available by March 9, 2015 including a free subscription level. To download a CyberVision white paper, watch a video, and register to get free access to the launch version of CyberVision - a fully functional system with many information security products -  visit: Additional products and applications are being tested and added continuously. HITRUST is also asking participants to help prioritize the information security products and applications they would like to see in the CyberVision service.



Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST - in collaboration with public and private healthcare technology, privacy and information security leaders - has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit

All product and company names herein may be trademarks of their respective owners.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading