Healthcare Industry Now Sharing Attack IntelligenceNew HITRUST Cybersecurity Incident Response and Coordination Center lets healthcare organizations, U.S. Department of Health and Human Services swap information, forensics from firsthand attack experiences, other threats
Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry.
The Health Information Trust Alliance (HITRUST) today announced the launch of the new HITRUST Cybersecurity Incident Response and Coordination Center as a go-to online community for helping spot cybersecurity attacks against healthcare organizations and coordinating incident response to threats and attacks. "We [all] started to see, eight to 12 months ago, an uptick in more focused attacks or attempts against healthcare systems coming from around the world," says Roy Mellinger, CISO at WellPoint, one of the 15 founding participants in the new cybercoordination center. "We needed something to help us protect" our data, so the center is a crucial resource, according to Mellinger.
Attacks against healthcare organizations are becoming more targeted and focused, he says. And the bad guys are going after Web portals and healthcare applications as their point of entry, he says, rather than their previous M.O. of hitting the perimeter. "We've seen a change in tactics, and it has us responding," Mellinger says.
Healthcare is one of several industries now to have its own intel-sharing mechanisms to help combat cybercrime and cyberespionage. The financial services and Defense industrial base have been doing so for some time, and there are regional approaches, such as the FBI-led InfraGuard association of local businesses, academic institutions, and state and local law enforcement agencies that share attack and threat information.
Data breaches in healthcare jumped more than 30 percent last year and could be costing the industry an average of $6.5 billion a year, according to a recent Ponemon Institute study. Hospitals and healthcare providers suffered an average of four data breaches in the past year, the report found, and employee error was one of the main reasons for breaches. The increase in breaches may in part be due to better detection capabilities, however, noted Larry Ponemon, chairman and founder of the Ponemon Institute.
Another recent study of small healthcare practices by Ponemon was even more disturbing: Ninety-one percent of small healthcare providers in North America with 250 or fewer employees said they had suffered a breach in the past 12 months.
"There are certain types of attacks targeting healthcare, be it a children's hospital that has a set of new and fresh SSNs, or health plans with electronic payments," says Dan Nutkis, CEO at HITRUST, a healthcare industry group that also offers a framework for the creation, access, storage, and exchange of personal health and financial information. "So [at first] we decided we would informally facilitate collaboration, but we found it very complicated. Very few organizations in the whole industry have the skill set to know what to do with the information," such as indicators of compromise, he says.
Nutkis says it made more sense to focus on early warning efforts for large healthcare organizations, and then that information ultimately can be massaged and packaged for smaller healthcare groups as well. So with help from HHS, HITRUST built the new portal that helps organize intelligence and threat information among participants.
HHS is among the 15 healthcare organizations currently sharing security incident information, as are UnitedHealth Group, Baylor Health Care System, Dignity Health, and Humana. The information-sharing tools in the portal allow the agency and the companies to share that information confidentially and anonymously.
[Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive. See Victim Businesses Teaming Up To Fight Cybercriminals.]
While threat intel-sharing is a major goal for many organizations today to work more as a team to fight cybercrime, collaboration isn't so simple. "Human trust is a fundamental prerequisite to enable the exchange of threat intelligence information. And it does not scale well," notes Jacques Francoeur, chair of the Bay Area Council Threat Intelligence Sharing Committee.
There also are major technology challenges, as well as what to do with the intelligence you get from your counterparts, he says. "There are technology issues related to how you structure threat indicators, deidentify the source, share them in an automated manner, and control the usage and access of the data. There are issues of trust related to the source of the information and, until that is in place, receivers of information will be reluctant to redirect resources based on that information. There are large differences in the maturity of different organizations to even understand how to leverage to the information," Francoeur says.
"For example, how does near real-time threat and capability intelligence change an organization's security strategy? Is it prepared to dynamically adapt and redirect security resources based on this intelligence?" he says. "It is not only about how to collect and share the information; it is what to do with it once you have it."
Kevin Charest, director and program manager at HHS's incident response center, says HHS is providing nonclassified attack information, such as indicators of compromise for specific attack campaigns. "It's kind of outreach and information-sharing," Charest says. "If we've developed an IOC around a particular set of intrusions, we can say, 'Here's some [threats] to point your tools at.'"
The hope is that this intelligence gathered and coordinated among the big healthcare organizations will ultimately trickle down to small practices that don't have the resources and expertise. "The larger organizations do touch a large percent of the market, so you have that kind of trickle-down," Charest says.
NEXT PAGE: Not all healthcare attacks will get reported, however
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
1 of 2