To fight the growing threat of cyber attacks, healthcare industry security consortium HITRUST this year developed Cyber Threat XChange, a program to help organizations collect and share cyber threat information. So far, the initial results are mixed.
Early adopters of the service deployed breach detection systems to identify malicious network activity and found many existing and new indicators of compromise, or IOCs. In fact, during collection of IOCs in August, organizations using newer breach detection systems found 286 times more IOCs than their previous cyber discovery methods were finding. And 24 percent of those IOCs were new and had not previously been submitted to Cyber Threat XChange, also called HITRUST CTX.
While 85 percent of authorized participants collected IOCs in August, only 5 percent shared the threat information they found with HITRUST CTX, and only half of those findings were actionable, meaning they were useful enough to use support taking preventive or defensive measures without a significant risk of a false positive, according to HITRUST.
In all, hundreds of organizations participated in the August exercise, says Ray Biondo, chief information security officer at Health Care Services Corp, a large Blues plan.
Reporting an indicator of compromise is not enough; metadata also needs to be reported to bring more specificity to the compromise. This includes, according to a report from HITRUST, a timestamp of the IOC, region it was found in such as the U.S., IP address, industry, product, name of the malware, a cryptographic fingerprint that identifies the message, file type, protocol (such as HTTP), URL, Domain (such as healthcare) and Web server location.
For now, factors limiting the sharing of cyber threat information focus on the lack of many organizations to have the right technology infrastructure and personnel in place.
To improve sharing, HITRUST offers four recommendations to the industry:
Establish Detailed Requirements for IOC Sharing: “The overall lack of clear guidance on IOC sharing and what constitutes a complete IOC had led to an overall reduced quality of IOCs.”
Commence an Enhanced IOC Sharing Pilot to Quantify the Benefits and Identify any Issues: “A pilot group has been convened to evaluate the benefits to participating organizations and industry as well as any risks or concerns.”
Evaluate Methods to Incentivize Organizations to Actively Engage in Cyber Threat Information Sharing: “Currently there are no incentives for organizations to contribute IOCs to information sharing and analysis organizations. Many do it because it is the right thing for the industry and no other reason. Current models do not limit what is consumed or distributed based on the level of contribution or engagement, providing no incentives for organizations to actively contribute their IOCs.”
Ensure HITRUST CTX Has Near Real-Time Cyber Threat Indicator Visibility Across Key Segments of the Health Industry: “HITRUST will make available, free of charge, 50 Trend Micro Deep Discovery Systems to healthcare organizations representing each segment of the industry. This state of the art technology will provide greater visibility into the cyber threats targeting their environment. Additionally, these devices will submit IOCs to HITRUST CTX and hence improve its unique visibility and situational awareness of cyber threats and attacks occurring across the entire industry in near real-time.”
While hundreds of provider, payer and vendor organizations are working with HITRUST to collect threat data, privacy concerns are a big reason why so many aren’t sharing their treat information, says Biondo of Health Care Service Corp.
Some organizations are hesitant to share because there isn’t yet clarity on what data they should be looking at and what data they should be making available, Biondo explains. But many organizations also may mistakenly believe their company is identified when contributing threat data to HITRUST. Biondo emphasizes that HITRUST does not ask for the names of companies, just the threats they are seeing to allow forensic experts to do deeper dives and take corrective action, but it will take time to get the message across the industry that participants are not identified.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access