HITRUST asks agencies to offer more security help
The Department of Homeland Security works with security professionals across industries to improve the collection and sharing of cyber threat information. Congressional members of the U.S. House Homeland Security Committee on March 9 heard testimony from industry representatives on the value and effectiveness of working with DHS.
For the healthcare industry, the value of cyber threat information disseminated by the government can vary dramatically, said Daniel Nutkis, CEO of stakeholder security collaborative HITRUST, in prepared testimony.
The Cybersecurity Act of 2015 and Executive Order 13691 established the necessity of industry information sharing and analysis organizations (ISAOs) to engage in the sharing of cyber information with the government, Nutkis noted.
Technical and operational issues surfaced when industry initially started sharing threat data via DHS’ Automated Indicator Sharing program (AIS). “They have since been addressed, but we would encourage greater engagement by DHS with AIS participants to ensure alignment with ongoing and future requirements,” Nutkis testified. That said, the work of DHS is benefiting the healthcare industry, and the engagement with the agency has been productive, he asserted.
However, some government activities are undermining sharing programs in the private sector and among information sharing and analysis organizations, he added. “There are efforts underway that will deviate from this effort by requiring healthcare organizations to only share information directly with the Department of Health and Human Services—an agency not even identified in the Cybersecurity Act of 2015 as affording safe harbor liability protections,” Nutkis told lawmakers.
According to HHS, however, no one or any organization is required to report threat information to the agency.
The CISA law, he argued, places DHS at the center of information sharing with the private and civilian sector. “Since HITRUST has led the industry in the collection of indicators of compromise through the development of enhanced standards and collection practices, and was the first healthcare organization to begin sharing bi-directionally with DHS’s AIS program, we find these efforts unnerving as they are certainly contrary to the original intent of CISA and government’s commitment to partner with industry through the Information Sharing and Analysis Organization program.”
The private sector, he added, should be considered a partner with government partners and the government should have a universal and consistent approach when engaging industry.