On March 9, 2017, Daniel Nutkis, CEO of HITRUST, testified before the Subcommittee on Cybersecurity and Infrastructure Protection of the Homeland Security Committee. The purpose of the hearing entitled: “The Current State of DHS Private Sector Engagement for Cybersecurity” was to hear from private sector stakeholders on the value and effectiveness of current engagement with the Department of Homeland Security (DHS). The hearing also allowed for a discussion of DHS private sector engagement and programs to identify what makes particular outreach efforts and products of value to participating entities.
Mr. Nutkis shared the health industry’s experiences in engaging with the Department of Homeland Security relating to cyber information sharing and other cyber initiatives, and the role he believes provides the greatest benefit to industry. During his testimony, he highlighted some of the ways HITRUST helps elevate the healthcare industry’s cyber awareness, improves its cyber preparedness and strengthens its risk management posture. He also explained how programs like cyber information sharing, cyber threat catalogues and guidance on implementing the NIST Cybersecurity Framework are integral to the process, as is the role of the Department of Homeland Security.
Mr. Nutkis began by listing three programs that HITRUST had pioneered with industry that showcase the positive efforts underway in collaboration with DHS:
- The Enhanced Indicator of Compromise (IOC) Program – which, he noted, improved on the number of unique IOCs it shares across healthcare organizations each month – going from 186 unique IOCs in September 2015 to 5,158 in September 2016;
- Sector Guidance for Implementing the NIST Cybersecurity Framework – which the Health and Public Health Sector Coordinating Council (SCC) and Government Coordinating Council (GCC), along with input from HITRUST, and other sector members including the DHS Critical Infrastructure Cyber Community (C3) helped develop – and stands as an example of industry innovation, leadership and collaboration; and
- Automated Indicator Sharing with DHS – which the HITRUST Cyber Threat XChange or CTX is fully integrated with to support bi-directional cyber threat indicator exchange that better aids organizations in reducing their cyber risk. HITRUST was the first non-government entity connected to and sharing cyber threat indicators with the DHS AIS Program.
After touching briefly on these three programs, Mr. Nutkis then addressed concerns over government’s interference or disregard as to the industry’s cyber security efforts. He noted that HITRUST’s role as an ISAO, along with strong industry engagement, enabled HITRUST to quickly and efficiently address any concerns regarding the liability of sharing with government, and added that HITRUST’s continued evaluation and enhancements to its infrastructure with technology partners enabled it to integrate with AIS and meet the future needs of information sharing.
Mr. Nutkis further asserted that both the Cybersecurity Act of 2015 (CISA) and Executive Order (EO) 13691 intended ISAOs to take up this role in an effort to help move the private sector in the right direction and enable them to engage with government. He included that AIS integration demonstrated that HITRUST, with its DHS partnership, continues to evolve, improve, and lead by innovating and ensuring cyber threat information sharing is providing the most value to the broadest group of constituents while reducing overall cyber risk.
Mr. Nutkis suggested that DHS—acting as the hub for cyber information sharing— benefits the entire industry, and added that HITRUST’s engagement with the DHS AIS has been both cooperative and very productive. However, he additionally asserted that, despite all the progress the public and private sectors have made in recent years, there are government efforts underway to undermine private-sector information sharing programs and ISAOs like that of HITRUST.
His testimony added that, while there was an appreciation and recognition that each industry has unique dynamics and challenges with regards to CTI sharing, it did not warrant interjecting another intermediary, particularly not one that regulates, audits and has responsibility for imposing fines and other financial penalties.
In closing, Mr. Nutkis told the subcommittee that the market should drive innovation, and government should promote the role of industry without changing the rules.