HITRUST Forms Working Group to Develop Information Sharing Framework for Healthcare Sector

The Health Information Trust Alliance (HITRUST) has established a new working group to focus on developing an information sharing framework to address cyber-security incidents in the healthcare sector.

The HITRUST Cybersecurity Working Group will address elements of the White House executive order to protect healthcare data and patients, HITRUST said Wednesday. The Working Group will focus on establishing a baseline framework on how organizations will mitigate their risks and share relevant information with both public and private sector organizations, according to HITRUST.

HITRUST already works with CISOs and CSOs of the nations’ largest healthcare organizations, the Department of Health and Human Services, and Department of Homeland Security for active threat intelligence, information, sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). HITRUST C3 has systems and policies in place to protect anonymity and privacy so that critical information can be shared without liability concerns by the victim or submitting party.

“There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government,” said Daniel Nutkis, HITRUST’s CEO.

The executive order on cybersecurity, issued by the White House on Feb. 12 after the State of the Union address, outlined the need to protect the country’s critical infrastructure and encourage a voluntary program where the private and public sector could share information about the latest threats. The Department of Homeland Security has identified healthcare as one of the 18 industry sectors that fall under the critical infrastructure classification.

The healthcare sector is vulnerable to disruption of information systems and medical devices used in patient care, as well as those involved in the manufacture and distribution of life-sustaining medicines and therapies, HITRUST said.

The White House executive order has a few core elements, including information sharing between government and private industry entities about cyber-security threats and incidents, establishing a baseline framework to reduce cyber-risk, and identifying critical infrastructure at greatest risk for attack.

According to section 7 of the order, “The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

The HITRUST Common Security Framework is the most widely adopted risk-based information protection framework used by healthcare organizations, according to the alliance. Organizations can use the controls and best practices identified in the CSF to mitigate risk. The working group plans to use CSF as the baseline and conduct a thorough review of each relevant control.

“While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare,” said Jon Moore, CISO of healthcare provider Humana.

HITRUST hopes to have an updated CSF with modified controls and guidance on prioritizing how these controls are implemented to reflect actual risks, it said.

The Department of Health and Human Services is part of HITRUST C3, which allows the federal agency to “share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return,” said Kevin Charest, CISO of DHHS.

Related: Threat Information Sharing – Fighting Fire With Fire

Related: Taking the Blinders Off – The Value of Collective Intelligence