Healthcare organizations lag in sharing cyber attack info
Through a presidential executive order and legislation enacted by Congress in 2015, the federal government set in motion procedures for healthcare organizations, companies in other industries and local governments to collect and share cyber threat information among themselves and with the government.
The federal initiatives included incentives to enable organizations to receive threat information not just from other organizations but from government agencies such as the Departments of Homeland Security and Health and Human Services.
However, threat data sharing in healthcare has gotten off to a slow start even as cyber attacks have accelerated. Many stakeholders are not aware of the initiative; others have needed time to develop arrangements for sharing with each other and to develop analytics capability to analyze threats and turn them into actionable alerts, says Lisa Gallagher, managing director of the healthcare cybersecurity and privacy practice at consultancy PricewaterhouseCoopers.
Threat sharing will occur at national and local levels and both levels can learn from each other, according to Gallagher. For instance, if there is a certain common threat activity being seen among several hospitals in a particular region and this type of activity is not being seen at the national level, then that’s a good indication of a relevant threat in the region. “This is a good way for us to start sharing with trusted organizations at a local level,” she adds.
Participants in data threat sharing are afforded liability protection, an anti-trust exemption when sharing and exemptions from federal and state Freedom of Information acts.
Gallagher suggests local organizations begin thinking about with whom they can share threat data, start doing it, and leverage threat indicators received to assess organizational vulnerabilities and make adjustments.
According to information from Homeland Security, industry-specific Information Sharing and Analysis Centers, or ISACs, are to be not-for-profit and member-driven organizations to share information between various levels of government and industry. For other organizations, Information Sharing and Analysis Organizations, or ISAOs, also will gather, analyze and disseminate cyber threat information but are not sector-specific.
The challenge now, Gallagher says, is to get the word out across the healthcare industry. “There is a tremendous education process that has to start.”