Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

HITRUST Forms Working Group to Develop Information Sharing Framework for Healthcare Sector

The Health Information Trust Alliance (HITRUST) has established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.

The Health Information Trust Alliance (HITRUST) has established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.

The HITRUST Cybersecurity Working Group will address elements of the White House executive order to protect healthcare data and patients, HITRUST said Wednesday. The Working Group will focus on establishing a baseline framework on how organizations will mitigate their risks and share relevant information with both public and private sector organizations, according to HITRUST.

HITRUST LogoHITRUST already works with CISOs and CSOs of the nations’ largest healthcare organizations, the Department of Health and Human Services, and Department of Homeland Security for active threat intelligence, information, sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). HITRUST C3 has systems and policies in place to protect anonymity and privacy so that critical information can be shared without liability concerns by the victim or submitting party.

“There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government,” said Daniel Nutkis, HITRUST’s CEO.

The executive order on cybersecurity, issued by the White House on Feb. 12 after the State of the Union address, outlined the need to protect the country’s critical infrastructure and encourage a voluntary program where the private and public sector could share information about the latest threats. The Department of Homeland Security has identified healthcare as one of the 18 industry sectors that fall under the critical infrastructure classification.

Healthcare Information Security

The healthcare sector is vulnerable to disruption of information systems and medical devices used in patient care, as well as those involved in the manufacture and distribution of life-sustaining medicines and therapies, HITRUST said.

The White House executive order has a few core elements, including information sharing between government and private industry entities about cyber-security threats and incidents, establishing a baseline framework to reduce cyber-risk, and identifying critical infrastructure at greatest risk for attack.

According to section 7 of the order, “The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

The HITRUST Common Security Framework is the most widely adopted risk-based information protection framework used by healthcare organizations, according to the alliance. Organizations can use the controls and best practices identified in the CSF to mitigate risk. The working group plans to use CSF as the baseline and conduct a thorough review of each relevant control.

Advertisement. Scroll to continue reading.

“While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare,” said Jon Moore, CISO of healthcare provider Humana.

HITRUST hopes to have an updated CSF with modified controls and guidance on prioritizing how these controls are implemented to reflect actual risks, it said.

The Department of Health and Human Services is part of HITRUST C3, which allows the federal agency to “share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return,” said Kevin Charest, CISO of DHHS.

Related: Threat Information Sharing – Fighting Fire With Fire

Related: Taking the Blinders Off – The Value of Collective Intelligence

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.