In the aftermath of the recent hacking incident at Community Health Systems, the healthcare sector is evaluating how to improve cybersecurity intelligence, threat information sharing and incident preparedness.
On Sept. 9, representatives from government agencies, including the FBI, Department of Homeland Security, and Department of Health and Human Services; healthcare sector information security leaders; and the Health Information Trust Alliance – or HITRUST – will meet to discuss ways of improving communication about cyberthreats to help mitigate the risks.
HITRUST is best known for establishing the Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.
While the HITRUST summit was already slated to take place before the recent announcement of the hacking incident involving Community Health Systems, the discussions are particularly timely, considering criticism that government agencies, including the FBI, were slow to share with healthcare organizations information about the Community Health System incident.
When healthcare organizations hear about a breach of the size and scope of the CHS incident – which was first publicly disclosed by the hospital chain in an Aug. 18 filing with the Securities and Exchange Commission, they want to know what security controls were affected, what new vulnerabilities or threats emerged, and how best to mitigate those threats, says Daniel Nutkis, HITRUST’s CEO.
The industry also wants to get information about emerging threats faster, Nutkis says in an interview with Information Security Media Group.
Mandiant, which is providing forensics services to the hospital chain, believes that an “advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company’s systems,” according to the hospital chain’s 8-K filing with the SEC. CHS says the attack, which compromised data of 4.5 million patients, most likely occurred in April and June. Attackers used highly sophisticated malware to bypass security measures and successfully copy and transfer certain information out of the system, CHS says.
TrustedSec, an information security consulting service, has said hackers who attacked CHS apparently took advantage of the Heartbleed flaw (see Is Heartbleed Behind Healthcare Breach?).
Community Health Systems’ 8-K filing kicked off a “hysteria” with organizations thinking the healthcare sector “was under attack by China,” Nutkis says. “Boards were asking CISOs, ‘Are be protected?’ and the CISOs were trying to figure it out.”
Nutkis says HITRUST is working with government agencies in “moving the industry forward” toward improving information sharing and breach preparedness and response.
At the Sept. 9 summit, participants will discuss, for example, how to best communicate cyber-intelligence information and guidance so that healthcare entities of any cybersecurity maturity level can make use of the information, Nutkis says.
“There are 400,000 organizations in the [healthcare] industry, with different levels of sophistication and resources,” he says. “Some want more sophisticated details, some want summaries, some just want to know how to fix a problem. “We’re trying to figure out what’s most effective, because one size doesn’t fit all.”
Nutkis says HITRUST is also collaborating with healthcare organizations and government agencies to create “a mechanism” for organizations to divulge information about cyberthreats and incidents so that helpful alerts and guidance is provided promptly to the industry while “dialing down the hysteria.”
HITRUST, along with HHS, is also planning to kick off in October a second round of cybersecurity drills – CyberRX 2.0. The first drill in March was a two-day simulated cyber-attack exercise in which 12 organizations, including those in the pharmaceutical, insurance and provider sectors, participated (see Cybersecurity Drill: Lessons Learned).
The upcoming, free CyberRX 2.0 offering expands the cyberdrills with a three-tier program that supports organizations of varying cybersecurity sophistication levels. The events that will take place beginning in October and run through July 2015; approximately 750 organizations have signed on to participate, HITRUST says.
Phil Curran, chief information assurance and privacy officer at Cooper University Health Care in Camden, N.J., says a problem faced by the healthcare sector is an overload of threat information that needs to be analyzed for relevance.
“One of the biggest issues we face is the amount of information that is available and how we analyze that information – it’s like washing your hands with a fire hose,” Curran says. “Most organizations are not blessed with an individual who is a trained and experienced intelligence analyst. We need someone to take all that data and boil it down to short, executive summaries and distribute in a timely manner.”
Curran says that when it comes to guidance, it sometimes can be helpful to learn how other organizations are responding to cyberthreats. “For many threats – for example, Heartbleed – all the verticals are affected and should be taking steps to mitigate,” he notes. “Are the steps I am taking enough? What haven’t I thought of? You gain a lot of insight when you talk with other people and review steps others have taken.”
He also encourages “entities who have been affected to share their mitigation steps; this would go a long way in lessening the burden on smaller entities and not so experienced personnel who are responding to the same incident.”
In addition to HITRUST’s efforts, the National Health Information Sharing and Analysis Center is also examining ways to improve cyber-intelligence sharing, says Deborah Kobza, executive director.
“NH-ISAC is holding regional National Cybersecurity Resilience Roundtable events across the country beginning in September 2014, culminating in a National Health Cybersecurity Summit in partnership with SANS [Institute] in San Francisco in December,” she says.
NH-ISAC recently also hosted a webinar with Mandiant, the security company hired by CHS, that addressed the “threat actors and countermeasure solutions,” involved in the CHS incident, Kobza says.