If recent cyberattacks on healthcare organizations - including the ransomware attack on Hollywood Presbyterian Medical Center - tell us anything, it's that better cyber threat intelligence sharing is desperately needed.
But what are the key gaps that need to be addressed? Harris Health System, a Houston-based integrated healthcare delivery system, is leading an effort to find out.
"We hope to learn what some organizations are doing as it relates to getting and sharing cyber threat information, and how we can possibly improve upon it."
The Department of Health and Human Services awarded Harris Health System a $150,000 grant to help identify ways to share cyber threat information and protect the critical infrastructure of the nation's public and private healthcare sectors (see Threat Intel Sharing Project: A CISO Leads the Way). As the major component of that effort, Harris Health System is fielding a survey of healthcare sector organizations to gather insights into the state of cyber information sharing.
But the success of this effort depends on participation by a wide variety of organizations of all sizes in all areas of healthcare.
"This survey is important to the healthcare community because it helps us paint the true picture of the current gaps that exist in sharing cyber information across the sector," Jeffrey Vinson, CISO at Harris Health System, tells me.
The information Vinson's team gathers should help HHS and the entire healthcare sector better understand "why so many attacks and breaches are taking place and learn how to defend against them as a community, versus single entities," says Vinson, who formerly worked at the National Security Agency. "We hope to learn what some organizations are doing as it relates to getting and sharing cyber threat information and how we can possibly improve upon it for the entire healthcare sector and public health."
The analysis of the survey findings should also play a key role with other related work underway by HHS to better understand cyber intelligence information sharing gaps in healthcare, as called for by President Obama's cybersecurity executive order last year, and also the Cybersecurity Information Sharing Act of 2015. Among other things, the new law calls for an HHS industry task force to examine the cyber challenges facing the healthcare sector, as well as lessons the sector can learn from other industries.
The Obama executive order last year called for the creation of new information sharing and analysis organizations, or ISAOs, to share cyber intelligence within the private sector and between the private sector and government, as well as with existing information sharing organizations, such as the National Health Information Sharing and Analysis Center, or NH-ISAC, and the Health Information Trust Alliance, or HITRUST.
Vinson hopes the survey will capture the views of a variety of organizations, including those involved with direct patient care, health plans, pharmaceutical companies, laboratories, blood banks, medical materials firms, public health agencies and health information technology firms.
Among the specific issues that are being examined in the survey:
- Whether an organization is currently utilizing a cyber threat intelligence sharing tool, service or method;
- What sorts of sources are used for gathering cyber threat intelligence;
- How many potential incidents healthcare sector entities prevented or detected over the last 12 months using cyber threat information sharing;
- What kinds of gaps and "pain points" healthcare sector entities see in cyber threat intelligence sharing, and causes for those deficiencies ;
- The kinds of data and indicators that organizations would like to see in "next generation" cyber threat intelligence sharing.
Once the survey is completed and results analyzed, the hope is that the industry, along with the government, can work toward improved cyber intelligence sharing, enabling organizations to be better prepared to handle emerging threats.
"It helps us get our arms around the [key] objective, which is to gain an understanding of the cyber threat information needs of the healthcare sector," Vinson says.
HHS is expected to disseminate the results of the survey at the conclusion of the grant work Sept. 30, he says.
To add your perspective to this important research effort, I encourage you to take the time to take the survey.
It's your chance to be heard as potential new strategies, policies and programs are crafted in the months and years ahead in the effort to improve cyber threat intelligence sharing.
While you're at it, please let us know what you think of the survey and the state of cyber threat intelligence sharing in the healthcare sector by commenting in the space below.