HITRUST begins sharing cyber threats with Homeland Security
HITRUST, a consortium of stakeholders collaborating to better secure protected health information, is the first healthcare cyber threat-sharing information organization to connect with the federal government’s cyber threat sharing program.
The federal program, launched earlier this year, is the Automated Indicator Sharing Program of the Department of Homeland Security, designed to collect and disseminate cyber threat information.
The DHS program enables electronic exchange of cyber threat indicators across private sector industries, and HITRUST is the first healthcare organization to link with the feds to receive and submit threat information, says CEO Daniel Nutkis.
“It was a lot of work; a lot of integration and setting up policies,” he recalls. But now, HITRUST can send out or receive information within minutes, and so can its members. So far, the volume is low but will ramp up over time.
HITRUST offers a basic free threat-sharing platform and also has a proprietary subscription-based platform for organizations that wish to share data across defined partners—deciding who has access and who does not.
Regardless of the level of data sharing in which healthcare organizations decide to participate, the distribution of information about threats still presents some hurdles, Nutkis notes. For example, it can be difficult to understand what are good threat indicators and what are not.
There also are technical and policy issues when considering how to securely share and test data to ensure the accuracy of data collected and submitted, he adds. “There were some challenges in making sure we were all talking the same language.”
As HITRUST ramped up its threat-sharing activities among members this year, it realized how fast new cyber threats were hitting healthcare entities. For instance, the organization announced in June that 90 percent of healthcare cyber threats found during the past month were previously unknown threats in the industry.
Members collecting threat data frequently are seeing new types of sophistication of the threats, and new exploits or enhancements of known threats, particularly ransomware, according to Nutkis.
HITRUST members sharing threat data among themselves can see some of the behaviors that are causing attacks, Nutkis notes. End users are still clicking on links they shouldn’t and opening email attachments without checking the source.
“The behavior of end users continues to be the same. We can see a user go into a spam filter, take out a file and click on it, but HITRUST can stop the interaction. Still, there is significantly more education needed.”
As members during this year collect threat data they have improved performance over time by reporting threats quicker and submitting threat indications to HITRURST within minutes of detection, compared with several weeks for previous submissions.