“Community Defense” Model a Major Step Toward Proactively Protecting Electronic Health Data and the Nation’s Critical Infrastructure Against Cyber Attacks
Jul 24, 2012
Frisco, TX – July 24, 2012 – The Health Information Trust Alliance (HITRUST) today launched the HITRUST Cyber Threat Analysis Service (C-TAS), a unique collaborative platform for cyber defense specific to the healthcare industry and a new component of the recently announced HITRUST Cybersecurity Incident Response and Coordination Center. HITRUST C-TAS participants represent the full spectrum of the healthcare ecosystem such as health systems, health plans, pharmacy benefit managers (PBMs), pharmacies and pharmaceutical manufacturers, as well as government organizations such as the Department of Health and Human Services (DHHS) and the Department of Veterans Affairs (VA). By combining world-class intelligence analysis capability with broad industry collaboration, a “community defense” model can be achieved.
The HITRUST C-TAS represents a major step for the healthcare industry in proactively protecting vital electronic health data and the nation’s critical infrastructure against cyber crime, cyber espionage and cyber activism. It also represents an industry first in tracking vulnerabilities for electronic health record systems (EHRs) and medical devices. These systems are critical for continuing industry operations and reducing vulnerabilities that could cause disruption is a key priority. HITRUST is tackling a crucial problem not addressed by other services.
Attacks against healthcare information systems – which are inherently vulnerable to unauthorized access and contain personal health information, consumer data, intellectual property and trade secrets – are increasing exponentially and becoming more sophisticated and targeted. Data breaches in healthcare jumped more than 30 percent from 2010 to 2011 and the average economic impact of a data breach was $2.2 million, including an increase from 20 to 30 percent of respondents reporting criminal attacks as the root cause, according to the December 2011 Second Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute.
With the Cyber Threat Analysis Service, HITRUST aims to deliver:
- A comprehensive set of cyber threat intelligence specific to the healthcare industry: Monitoring or “listening” for healthcare specific threats and risks
- A trusted community-based platform: Vulnerability reporting, knowledge sharing and collaboration without attribution to victim organizations
- Support of best practices: Structured deliverables, in the form of research, reports and briefings for multiple user groups: operations, investigators, and chief information security officers
“The level of collaboration we are experiencing across the healthcare industry and with government agencies, EHR vendors and medical device manufacturers is unprecedented and reflects the importance to the industry,” said Daniel Nutkis, chief executive officer, HITRUST. “The HITRUST C-TAS is a major step forward in the availability of tools and knowledge for organizations to prepare and respond to cyber incidents, and to better protect this critical industry.”
Identified as one of the 18 critical infrastructure sectors by the Department of Homeland Security (DHS), healthcare and public health (HPH) constitutes 17 percent of the Gross National Product and protects all sectors of the economy. The sector is unique in that the vast majority of the assets are privately owned and operated, yet at the same time highly interconnected, making collaboration and information sharing between public and private organizations essential to increasing resilience of the nation’s HPH critical infrastructure.
The HITRUST Cybersecurity Incident Response and Coordination Center is coordinating with the DHS for participation in the Critical Infrastructure Information Sharing and Collaboration Program (CISCP). In addition, it is developing processes for information sharing with the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) in order to enable greater collaboration and information sharing between industry and government, and to enable better preparedness and response to threats targeted against all of critical infrastructure, including the healthcare industry and its assets.
The HITRUST C-TAS is the result of a partnership with iSIGHT Partners, a global cyber intelligence firm supporting leading commercial entities and federal, state, and local government organizations. “Cyber threats targeting the healthcare sector are very unique and it’s important to craft sector-specific threat intelligence capabilities and products,” commented John Watters, chief executive officer, iSIGHT Partners. “’One company’s detection is the next company’s prevention,’ and in this spirit we are working together as a community and leveraging our collective capabilities and insights to help the industry navigate its adaptive threat environment.”
Support for HITRUST Cyber Threat Analysis Service
“As EHR systems have evolved and matured into a critical component in the delivery and management of patient care, it is important that the method for managing and communicating security vulnerabilities matures as well,” said Michael Wilson, vice president and chief information security officer, McKesson. “McKesson is committed to working closely and effectively with our customers when it comes to security of our products. Helping establish a robust and uniform approach to vulnerability submission and reporting for EHRs benefits not only our customers, but the entire industry.”
“With tens of thousands of medical devices in use in our facilities across the country, being able to protect these devices from cybersecurity threats is a key priority for us,” said John Oswalt, associate deputy assistant secretary for Policy, Privacy & Incident Response, the Department of Veterans Affairs. “Having a resource that allows us to have a standardized approach to communicating and understanding security concerns with these devices and to collaborate with experts, device manufacturers and others in industry to better protect them is a major step forward for the entire industry. We are happy to be playing a role in making it happen.”
“When the first discussions occurred last year on the creation of an industry C-TAS, I strongly supported the goal as I saw this as a crucial tool for the industry,” said Roy Mellinger, vice president and chief information security officer, WellPoint. “The resources offered from threat intelligence and analysis targeted specifically at healthcare and healthcare related systems to threat reports and alerts allows every organization to benefit by making information more targeted, readily accessible and meaningful.”
“The healthcare industry is continuing to evolve and change at a rapid pace, and with that, comes the advent of advanced technology which allows the entire system – including payers, providers and members – to have a more cohesive, coordinated and comprehensive continuum of care. In order to prevent and combat fraud or security issues, we need to be more proactive as an industry. By collaborating on best practices, we will be able to prevent and rectify security threats while, at the same time, allowing innovation to continue,” said Raymond Biondo, vice president and chief information security officer, Health Care Service Corporation.
HITRUST Cyber Threat Analysis Service Use Cases and Deliverables
Most healthcare information security professionals are finding that it is not economically viable to create and manage their own comprehensive threat intelligence center, where they have to rely on commercial threat feeds and try to find signals in the noise that relate to their industry and their organization. With the HITRUST C-TAS, organizations can address these core use cases: 1) Verified Threats; 2) Sector-Specific Technical Analysis; 3) Technology Risk Analysis; and 4) Business Risk Analysis.
Subscribers can choose from four tiers of pricing that packages a combination of or all five deliverables:
Healthcare Incident & Malware Reports: Intelligence reports with technical analysis for professionals performing security operations and technical investigations – based on real world attacks against healthcare entities.
Healthcare Vulnerability Research: Intelligence reports with technical analysis for professionals managing IT vulnerabilities. Includes analysis of vulnerabilities in technologies commonly used in the healthcare sector, such as medical device technologies, electronic health record or electronic medical record systems, and supporting technologies.
Healthcare Industry Threat Report: Intelligence reports to provide contextual analysis to information security professionals, chief information security officers and other stakeholders regarding emerging threats to the healthcare industry so they can prioritize investments in information security initiatives.
Healthcare Malware Research: Technical support for professionals performing security operations and technical investigations so they can receive more information on unidentified or suspected malicious software.
Healthcare Threat Briefing: Forum for chief information security officers to receive updates from security intelligence analysts regarding emerging threats to the healthcare industry so that they can prioritize investment in information security initiatives.
To download a brochure with more details, pricing and availability visit:https://www.hitrustalliance.net/c-tas/.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.HITRUSTalliance.net.
All product and company names herein may be trademarks of their respective owners.