Frisco, TX – February 17, 2015: The Health Information Trust Alliance (HITRUST) announced today a statement in response to the Presidential “Executive Order – Promoting Private Sector Cybersecurity Information Sharing.”

Topic

The President signed on Friday the “Executive Order – Promoting Private Sector Cybersecurity Information Sharing” during the White House Summit on Cybersecurity and Consumer Protection at Stanford University. The new executive order builds on the recent cybersecurity legislative proposal by laying out a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats.

Significance

The new Executive Order identifies Information Sharing Organizations (ISAOs) as the key focal point for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. It also calls for a common set of voluntary standards for ISAOs, directed the Department of Homeland Security (DHS); streamlines the mechanism for the new National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs; and streamlines private sector companies’ ability to access classified cybersecurity threat information to provide valuable context to network defenders and enhance their ability to protect their systems. Finally, the Executive Order ensures that information sharing enabled by this new framework will include strong protections for privacy and civil liberties.

Public Statement by HITRUST

HITRUST applauds the White House’s Executive Order to encourage increased cyber threat information sharing between the private sector and government. Since 2007, HITRUST has endeavored to elevate the level of information protection by ensuring greater collaboration between industry and government, and raising the competency level of information security professionals across the healthcare industry. We have tremendous experience as a federally recognized Information Sharing and Analysis Organization (ISAO) and have many valuable lessons to share. In the past, there has been some confusion on who in the private sector companies can turn to in order to work with their government partners. With the steps outlined in the President’s Executive Order it is clear that ISAOs are the focal link that will continue to provide value to strengthen our government, our economy, and our nation as a whole given the growing cyber threats the nation faces.

Empowering ISAO’s allows each sector to understand the specific needs based on the industry’s maturity. HITRUST, as the healthcare industry’s largest and leading ISAO, has taken this more holistic approach to threat intelligence sharing and cybersecurity from the beginning with the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) program, supported through partnerships with the Department of Health and Human Services (DHSS) and DHS. Some of the cyber programs coordinated by the HITRUST C3 include the Cyber Threat Exchange (CTX), Monthly Threat Briefings, and the CyberRX attack simulation exercise series – which is entering its second year and is partnering with industry in over 20 different cities. HITRUST is also a leader in education and outreach. HITRUST’s Common Security Framework (CSF) incorporates the NIST cyber security framework to ensure the CSF is the healthcare sector’s premier framework and is an example for other sectors given its rigorous privacy controls. HITRUST offers additional training and cybersecurity assessment programs, services and tools.

In the wake of the recent Anthem breach, the industry was able to experience the effectiveness of information sharing when HITRUST was able to share Indicators of Compromise (IOCs) with the healthcare industry within one hour after Anthem posted them to the automated HITRUST CTX. In addition they were shared with HHS, DHS and U.S. CERT who shared the IOCs with other industry ISAOs. HITRUST has recently made access to CTX easier by offering a subscription free for any healthcare organizations.

We look forward to working with the White House, Congress and the Department of Homeland Security as they continue to foster the formation of private-sector led information sharing as well as existing information sharing relationships between government and the private sector.

Supporting Documents

Executive Order—Promoting Private Sector Cybersecurity Information Sharing

FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing

For more information on HITRUST’s cybersecurity information sharing efforts, visit the HITRUST C3 page.

About HITRUST

Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST — in collaboration with public and private healthcare technology, privacy and information security leaders — has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.

Contacts

Leslie Kesselring
HITRUST
Public Relations
+1-503-358-1012
leslie@kesselring.net or pr@HITRUSTalliance.net