Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2012
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Healthcare Industry Now Sharing Attack Intelligence

New HITRUST Cybersecurity Incident Response and Coordination Center lets healthcare organizations, U.S. Department of Health and Human Services swap information, forensics from firsthand attack experiences, other threats

Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry.

The Health Information Trust Alliance (HITRUST) today announced the launch of the new HITRUST Cybersecurity Incident Response and Coordination Center as a go-to online community for helping spot cybersecurity attacks against healthcare organizations and coordinating incident response to threats and attacks. "We [all] started to see, eight to 12 months ago, an uptick in more focused attacks or attempts against healthcare systems coming from around the world," says Roy Mellinger, CISO at WellPoint, one of the 15 founding participants in the new cybercoordination center. "We needed something to help us protect" our data, so the center is a crucial resource, according to Mellinger.

Attacks against healthcare organizations are becoming more targeted and focused, he says. And the bad guys are going after Web portals and healthcare applications as their point of entry, he says, rather than their previous M.O. of hitting the perimeter. "We've seen a change in tactics, and it has us responding," Mellinger says.

Healthcare is one of several industries now to have its own intel-sharing mechanisms to help combat cybercrime and cyberespionage. The financial services and Defense industrial base have been doing so for some time, and there are regional approaches, such as the FBI-led InfraGuard association of local businesses, academic institutions, and state and local law enforcement agencies that share attack and threat information.

Data breaches in healthcare jumped more than 30 percent last year and could be costing the industry an average of $6.5 billion a year, according to a recent Ponemon Institute study. Hospitals and healthcare providers suffered an average of four data breaches in the past year, the report found, and employee error was one of the main reasons for breaches. The increase in breaches may in part be due to better detection capabilities, however, noted Larry Ponemon, chairman and founder of the Ponemon Institute.

Another recent study of small healthcare practices by Ponemon was even more disturbing: Ninety-one percent of small healthcare providers in North America with 250 or fewer employees said they had suffered a breach in the past 12 months.

"There are certain types of attacks targeting healthcare, be it a children's hospital that has a set of new and fresh SSNs, or health plans with electronic payments," says Dan Nutkis, CEO at HITRUST, a healthcare industry group that also offers a framework for the creation, access, storage, and exchange of personal health and financial information. "So [at first] we decided we would informally facilitate collaboration, but we found it very complicated. Very few organizations in the whole industry have the skill set to know what to do with the information," such as indicators of compromise, he says.

Nutkis says it made more sense to focus on early warning efforts for large healthcare organizations, and then that information ultimately can be massaged and packaged for smaller healthcare groups as well. So with help from HHS, HITRUST built the new portal that helps organize intelligence and threat information among participants.

HHS is among the 15 healthcare organizations currently sharing security incident information, as are UnitedHealth Group, Baylor Health Care System, Dignity Health, and Humana. The information-sharing tools in the portal allow the agency and the companies to share that information confidentially and anonymously.

[Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive. See Victim Businesses Teaming Up To Fight Cybercriminals.]

While threat intel-sharing is a major goal for many organizations today to work more as a team to fight cybercrime, collaboration isn't so simple. "Human trust is a fundamental prerequisite to enable the exchange of threat intelligence information. And it does not scale well," notes Jacques Francoeur, chair of the Bay Area Council Threat Intelligence Sharing Committee.

There also are major technology challenges, as well as what to do with the intelligence you get from your counterparts, he says. "There are technology issues related to how you structure threat indicators, deidentify the source, share them in an automated manner, and control the usage and access of the data. There are issues of trust related to the source of the information and, until that is in place, receivers of information will be reluctant to redirect resources based on that information. There are large differences in the maturity of different organizations to even understand how to leverage to the information," Francoeur says.

"For example, how does near real-time threat and capability intelligence change an organization's security strategy? Is it prepared to dynamically adapt and redirect security resources based on this intelligence?" he says. "It is not only about how to collect and share the information; it is what to do with it once you have it."

Kevin Charest, director and program manager at HHS's incident response center, says HHS is providing nonclassified attack information, such as indicators of compromise for specific attack campaigns. "It's kind of outreach and information-sharing," Charest says. "If we've developed an IOC around a particular set of intrusions, we can say, 'Here's some [threats] to point your tools at.'"

The hope is that this intelligence gathered and coordinated among the big healthcare organizations will ultimately trickle down to small practices that don't have the resources and expertise. "The larger organizations do touch a large percent of the market, so you have that kind of trickle-down," Charest says.

NEXT PAGE: Not all healthcare attacks will get reported, however Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
4/26/2012 | 12:08:24 PM
re: Healthcare Industry Now Sharing Attack Intelligence
response is a Good Thing but the group needs to be PRO-ACTIVE in DIRECTING Security Requirements to OEM
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/24/2012 | 10:58:23 PM
re: Healthcare Industry Now Sharing Attack Intelligence
Timing is good due to the Utah breach and the recent insider breach in South Carolina.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17660
PUBLISHED: 2019-10-16
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
CVE-2019-11281
PUBLISHED: 2019-10-16
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input...
CVE-2019-16521
PUBLISHED: 2019-10-16
The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payl...
CVE-2019-16522
PUBLISHED: 2019-10-16
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. A...
CVE-2019-16523
PUBLISHED: 2019-10-16
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.