Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM
Connect Directly

Healthcare Industry Now Sharing Attack Intelligence

New HITRUST Cybersecurity Incident Response and Coordination Center lets healthcare organizations, U.S. Department of Health and Human Services swap information, forensics from firsthand attack experiences, other threats

Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry.

The Health Information Trust Alliance (HITRUST) today announced the launch of the new HITRUST Cybersecurity Incident Response and Coordination Center as a go-to online community for helping spot cybersecurity attacks against healthcare organizations and coordinating incident response to threats and attacks. "We [all] started to see, eight to 12 months ago, an uptick in more focused attacks or attempts against healthcare systems coming from around the world," says Roy Mellinger, CISO at WellPoint, one of the 15 founding participants in the new cybercoordination center. "We needed something to help us protect" our data, so the center is a crucial resource, according to Mellinger.

Attacks against healthcare organizations are becoming more targeted and focused, he says. And the bad guys are going after Web portals and healthcare applications as their point of entry, he says, rather than their previous M.O. of hitting the perimeter. "We've seen a change in tactics, and it has us responding," Mellinger says.

Healthcare is one of several industries now to have its own intel-sharing mechanisms to help combat cybercrime and cyberespionage. The financial services and Defense industrial base have been doing so for some time, and there are regional approaches, such as the FBI-led InfraGuard association of local businesses, academic institutions, and state and local law enforcement agencies that share attack and threat information.

Data breaches in healthcare jumped more than 30 percent last year and could be costing the industry an average of $6.5 billion a year, according to a recent Ponemon Institute study. Hospitals and healthcare providers suffered an average of four data breaches in the past year, the report found, and employee error was one of the main reasons for breaches. The increase in breaches may in part be due to better detection capabilities, however, noted Larry Ponemon, chairman and founder of the Ponemon Institute.

Another recent study of small healthcare practices by Ponemon was even more disturbing: Ninety-one percent of small healthcare providers in North America with 250 or fewer employees said they had suffered a breach in the past 12 months.

"There are certain types of attacks targeting healthcare, be it a children's hospital that has a set of new and fresh SSNs, or health plans with electronic payments," says Dan Nutkis, CEO at HITRUST, a healthcare industry group that also offers a framework for the creation, access, storage, and exchange of personal health and financial information. "So [at first] we decided we would informally facilitate collaboration, but we found it very complicated. Very few organizations in the whole industry have the skill set to know what to do with the information," such as indicators of compromise, he says.

Nutkis says it made more sense to focus on early warning efforts for large healthcare organizations, and then that information ultimately can be massaged and packaged for smaller healthcare groups as well. So with help from HHS, HITRUST built the new portal that helps organize intelligence and threat information among participants.

HHS is among the 15 healthcare organizations currently sharing security incident information, as are UnitedHealth Group, Baylor Health Care System, Dignity Health, and Humana. The information-sharing tools in the portal allow the agency and the companies to share that information confidentially and anonymously.

[Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive. See Victim Businesses Teaming Up To Fight Cybercriminals.]

While threat intel-sharing is a major goal for many organizations today to work more as a team to fight cybercrime, collaboration isn't so simple. "Human trust is a fundamental prerequisite to enable the exchange of threat intelligence information. And it does not scale well," notes Jacques Francoeur, chair of the Bay Area Council Threat Intelligence Sharing Committee.

There also are major technology challenges, as well as what to do with the intelligence you get from your counterparts, he says. "There are technology issues related to how you structure threat indicators, deidentify the source, share them in an automated manner, and control the usage and access of the data. There are issues of trust related to the source of the information and, until that is in place, receivers of information will be reluctant to redirect resources based on that information. There are large differences in the maturity of different organizations to even understand how to leverage to the information," Francoeur says.

"For example, how does near real-time threat and capability intelligence change an organization's security strategy? Is it prepared to dynamically adapt and redirect security resources based on this intelligence?" he says. "It is not only about how to collect and share the information; it is what to do with it once you have it."

Kevin Charest, director and program manager at HHS's incident response center, says HHS is providing nonclassified attack information, such as indicators of compromise for specific attack campaigns. "It's kind of outreach and information-sharing," Charest says. "If we've developed an IOC around a particular set of intrusions, we can say, 'Here's some [threats] to point your tools at.'"

The hope is that this intelligence gathered and coordinated among the big healthcare organizations will ultimately trickle down to small practices that don't have the resources and expertise. "The larger organizations do touch a large percent of the market, so you have that kind of trickle-down," Charest says.

NEXT PAGE: Not all healthcare attacks will get reported, however Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/26/2012 | 12:08:24 PM
re: Healthcare Industry Now Sharing Attack Intelligence
response is a Good Thing but the group needs to be PRO-ACTIVE in DIRECTING Security Requirements to OEM
User Rank: Ninja
4/24/2012 | 10:58:23 PM
re: Healthcare Industry Now Sharing Attack Intelligence
Timing is good due to the Utah breach and the recent insider breach in South Carolina.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.