Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

HITRUST Forms Working Group to Develop Information Sharing Framework for Healthcare Sector

The Health Information Trust Alliance (HITRUST) has established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.

The Health Information Trust Alliance (HITRUST) has established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.

The HITRUST Cybersecurity Working Group will address elements of the White House executive order to protect healthcare data and patients, HITRUST said Wednesday. The Working Group will focus on establishing a baseline framework on how organizations will mitigate their risks and share relevant information with both public and private sector organizations, according to HITRUST.

HITRUST LogoHITRUST already works with CISOs and CSOs of the nations’ largest healthcare organizations, the Department of Health and Human Services, and Department of Homeland Security for active threat intelligence, information, sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). HITRUST C3 has systems and policies in place to protect anonymity and privacy so that critical information can be shared without liability concerns by the victim or submitting party.

“There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government,” said Daniel Nutkis, HITRUST’s CEO.

The executive order on cybersecurity, issued by the White House on Feb. 12 after the State of the Union address, outlined the need to protect the country’s critical infrastructure and encourage a voluntary program where the private and public sector could share information about the latest threats. The Department of Homeland Security has identified healthcare as one of the 18 industry sectors that fall under the critical infrastructure classification.

Healthcare Information Security

The healthcare sector is vulnerable to disruption of information systems and medical devices used in patient care, as well as those involved in the manufacture and distribution of life-sustaining medicines and therapies, HITRUST said.

The White House executive order has a few core elements, including information sharing between government and private industry entities about cyber-security threats and incidents, establishing a baseline framework to reduce cyber-risk, and identifying critical infrastructure at greatest risk for attack.

According to section 7 of the order, “The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

The HITRUST Common Security Framework is the most widely adopted risk-based information protection framework used by healthcare organizations, according to the alliance. Organizations can use the controls and best practices identified in the CSF to mitigate risk. The working group plans to use CSF as the baseline and conduct a thorough review of each relevant control.

“While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare,” said Jon Moore, CISO of healthcare provider Humana.

HITRUST hopes to have an updated CSF with modified controls and guidance on prioritizing how these controls are implemented to reflect actual risks, it said.

The Department of Health and Human Services is part of HITRUST C3, which allows the federal agency to “share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return,” said Kevin Charest, CISO of DHHS.

Related: Threat Information Sharing – Fighting Fire With Fire

Related: Taking the Blinders Off – The Value of Collective Intelligence

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.