The Health Information Trust Alliance (HITRUST) announced on Thursday that it will conduct monthly cyber threat briefings in partnership with the U.S. Department of Health and Human Services, and will warn organizations when HITRUST’s Cyber Threat Intelligence and Incident Coordination Center (C3) identifies high probability and impact cyber threats targeted at the healthcare industry.
The new efforts are designed to help organizations better understand current and probable cyber threats relevant to organizations in the healthcare industry and share best practices for cyber defense and incident response.
The new cyber alerting system, C3 Alert, is being coordinated with the Healthcare and Public Health Sector and Government Coordinating Councils.
“Government and industry cooperation and coordination are key to effectively and efficiently preparing the industry for cyber attacks,” said Dr. Earl Motzer, Co-Chair of the Healthcare Sector Coordinating Council established under the National Infrastructure Protection Plan (NIPP). “Availability of this information is a positive step in the industry’s cyber threat preparedness.”
The number of cyber attacks targeted at healthcare industry organizations of all types and sizes continue to increase, while research indicates that most healthcare organizations are not adequately addressing cyber threat preparedness and response.
According to a recent survey from the SANS Institute, a staggering 94 percent of all healthcare organizations said they have been victims of data breaches at some point. In its “Health Care Cyberthreat Report,” released Feb. 21, SANS said that despite the high number, organizations that have been breached but haven’t disclosed the incidents, or haven’t discovered it yet, aren’t included in the tally.
An analysis of HITRUST Common Security Framework (CSF) assessments performed over the last year indicates progress has been made in every information security control area across various segments and organizational sizes, although the most progress with regard to cyber security appears to be in larger organizations with annual revenues over $6 billion, the organization said.
“Collaboration is crucial to reducing cyber threats for the entire healthcare industry, including the government,” said Kevin Charest, Chief Information Security Officer, U.S. Department of Health and Human Services. “These briefings and alerts allow us to better disseminate valuable and critical information to healthcare organizations more effectively so they can better prepare and respond to cyber threats and events.”
“Even with our size and level of our information security program’s maturity, I recognize that participating in a functional information sharing and analysis organization, like HITRUST C3, is key to ensuring we have access to the latest and most accurate threat intelligence,” said Roy Mellinger, Vice President and Chief Information Security Officer, WellPoint, Inc. “I also recognize that we need to make sure every organization in healthcare has access to cyber threat alerts, analysis and best practice information to better protect the entire healthcare industry.”
The health industry’s monthly threat briefings will be free of charge, leveraging the resources and content created by the HITRUST C3 and U.S. Department of Health and Human Services Computer Security Incident Response Center (HHS-CSIRC). The briefings are intended to support healthcare organizations of all sizes as well as cyber-security maturity levels.
Helld online, the briefings will begin in April 2014, HITRUST said, and will last 60 – 75 minutes. In addition, the material presented will be made available to those registered.
The C3 Alerts, free of charge, will be issued anytime HITRUST C3 identifies a present and immediate cyber threat relevant to a large number of healthcare organizations, medical devices or systems, HITRUST said.
“Having access to alerts, threat intelligence and lessons learned that are relevant to our organization is important, as it helps ensure that we will maximize our efforts in addressing cyber threats. Information protection is a priority for our organization, but we need to be as efficient as possible in doing so,” explained Aaron Miri, Chief Technology Officer, Children’s Medical Center of Dallas. “The sharing of threat intelligence and best practices will aid the industry and help raise the maturity level of the entire industry by allowing all organizations, small and large, to have access to vital cyber threat and best practices through the industry’s information sharing and analysis organization, HITRUST C3.”
In February 2013, HITRUST established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.
Most recently, HITRUST announced plans for the CyberRX, a series of cyber attack simulations designed to help healthcare organizations prepare for emerging cyber threats and develop a better understanding of the industry’s cyber threat response readiness.
Additional information and registration for the C3 Monthly Briefing and C3 Alerts is available online.
