HITRUST Pilot Advances Health Industry Cyber Threat Sharing to Combat Ransomware and Other Cyber Attacks
<< All Press Releases

Date: June 8, 2016

Enhancements to ISAO Address Gaps in Collection and Consumption of Cyber Threat Indicators of Compromise (IOCs) for Healthcare Organizations

Frisco, Texas – June 8, 2016 – The Health Information Trust Alliance (HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection, has released findings from an industry pilot to evaluate methods to improve the collection and sharing of cyber threat Indicators of Compromise (IOCs) and enable their effective consumption by a broad range of organizations. In response to these findings, HITRUST is also announcing enhancements to the platform and service for its HITRUST Cyber Threat XChange (CTX), the health industry’s Information Sharing and Analysis Organization (ISAO), to aid organizations in reducing their cyber risk.

Results of the Enhanced IOC Collection Pilot indicate that healthcare organizations can dramatically improve the timeliness, completeness, usability and volume of IOCs contributed to the HITRUST CTX by implementing the enhanced criteria – defined in the November 2015 review of the HITRUST CTX entitled “Health Industry Cyber Threat Information Sharing and Analysis Report.” For the first time, 100% of the Enhanced IOC Collection Pilot group members submitted IOCs during the 30-day period. This vast improvement was of additional significance given the fact that, during the same 30-day timeframe, 88% of the IOCs collected by the pilot were unknown – that is, not previously seen or identified by any open source, DHS CISCP, leading commercial feeds or otherwise provided to the HITRUST CTX.

This increase in unknown submissions means not only that healthcare organizations can better prepare for and respond faster to new and emerging cyber threats, but also that cyber information sharing plays a more critical role in an organization’s overall cyber defense strategy.

The pilot also proves that threat information sharing does not need to be limited to the largest organizations and that the scalable sharing of IOCs can be achieved throughout healthcare organizations of varying size, intelligence appetite, and security maturity.

While the HITRUST CTX directly integrates with the market’s leading SIEM technologies, supports STIX and TAXII exchange formats, and offers an API, many smaller organizations haven’t deployed these capabilities and are unable to contribute or consume IOCs. To address this obstacle, HITRUST is now providing support for these environments with its new CTX Threat Analysis Reporting Service, which provides a method for organizations without SIEM technology to gain access to IOCs relevant to their environment.

Given the recent rise in ransomware and other malware targeted at the healthcare industry, these pilot developments are extremely significant as they ensure the collection and consumption of more relevant and timely IOCs that can be used by a much larger percentage of the healthcare industry and ultimately bolster the overall cyber posture of this segment of the nation’s critical infrastructure.

“When cyber threat information is timely, consumable, actionable, and available to a much larger audience, it becomes a much more valuable resource in defending our environment and the entire healthcare eco-system against attacks,” said Omar, Khawaja, Vice President and Chief Information Security Officer, Highmark Health.

Addressing Gaps in Collection and Consumption of Cyber Threat Indicators

The data from the Enhanced IOC Collection Pilot demonstrated the ability to collect and report IOCs addressing these gaps:

  1. Percentage of IOCs Seen First: In the past 30 days 88% of the IOCs collected were unique and not seen or known by any other open source, commercial, DHS CISCP, or user contributed feeds available to the HITRUST CTX.
  2. Percentage of Organizations Contributing IOCs: 100% of organizations reported IOCs to the HITRUST CTX compared to only a small percentage of organizations – 5% – that previously contributed IOCs.
  3. Average Time IOCs Seen First: IOCs were reported to the HITRUST CTX on average 1.2 days before being seen or identified by any other open source, commercial, DHS CISCP, or user contributed feeds to the HITRUST CTX.
  4. Average Time from Detection to Submission: IOCs were submitted in a matter of minutes to the HITRUST CTX compared to an average of 7 weeks after detection by those submitted previously. In addition, many organizations were not effectively identifying IOCs at all.
  5. Percentage of Actionable IOCs: 95% of the IOCs contributed to the HITRUST CTX had metadata (i.e. malicious IPs, URLs or domains) that made them actionable for use by others, defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive. Previously only 50% of the IOCs contributed to the HITRUST CTX were considered actionable.

Additionally, the enhanced pilot improved situational awareness and predictive threat modeling with the ability to correlate IOCs and Indicators of Attack (IOAs) between organizations to identify attack patterns and alert participants about IOCs and IOAs.

“Many years ago, HITRUST recognized that the approaches taken by other industries with regards to cyber information sharing were not fully transferable to the healthcare industry,” said Daniel Nutkis, CEO, HITRUST. “The pilot advancements in these two areas show that the CTX continues to evolve, improve, and lead by innovating and ensuring IOC sharing is providing the most value to the broadest group of constituents to help the healthcare industry reduce overall cyber risk.”

Expansion of Enhanced IOC Collection Program

HITRUST is expanding the Enhanced IOC Collection program, and any organization meeting the criteria can request to participate. In addition, HITRUST will enable another 30 organizations in the Enhanced IOC Collection Pilot program, representing 15 health plans and 15 health systems. These organizations will be provided with Deep Discovery Technology from Trend Micro and associated installation, training, support, and HITRUST CTX integration.

To read the HITRUST blog titled “Threat Information Sharing: An Increasingly Effective Weapon for Fighting Ransomware and Other Cybercrime” visit: https://blog.hitrustalliance.net/threat-information-sharing-an-increasingly-effective-weapon-for-fighting-ransomware-and-other-cybercrime/

To participate in the HITRUST CTX free of charge visit: https://www.cysiv.com/en_us/home.html

To leverage the “Healthcare Sector Cybersecurity Framework Implementation Guide” document for the NIST Cybersecurity Framework visit: https://hitrustalliance.net/documents/cybersecurity/HPHCyberImplementationGuide.pdf

About HITRUST Cyber Threat XChange

The HITRUST Cyber Threat XChange (CTX), powered by Anomali, was created to significantly accelerate the detection and response to cyber threats targeted at the healthcare industry. HITRUST CTX automates the process of collecting and analyzing cyber threats and distributing actionable indicators in electronically consumable formats that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.

Chat Now

This is where you can start a live chat with a member of our team