Report Finds Gaps in Health Industry Cyber Threat Indicator Sharing
<< All Press Releases

Date: November 12, 2015

HITRUST to Advance Cyber Threat Indicator Collection and Situational Awareness

Frisco, Texas – November 12, 2015: The Health Information Trust Alliance (HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection, has released findings and recommendations from a recent review of the healthcare industry’s most active threat intelligence sharing and analysis organization, the HITRUST Cyber Threat XChange (CTX). The Health Industry Cyber Threat Information Sharing and Analysis Report reveals substantial gaps in the collection and usability of Indicators of Compromise (IOCs).

The findings confirm what has previously been speculated regarding the actual degree to which organizations consume versus contribute IOCs. Only a small percentage of organizations – 5 percent – contributed IOCs to the HITRUST CTX, while 85 percent of organizations consumed them during the same period. Additionally, of the IOCs contributed to the HITRUST CTX in the sampling period, only 50 percent were considered “actionable,” defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive.

The findings also highlight the fact that many organizations are not effectively identifying cyber threat indicators internally and, therefore, are unable to contribute them to the HITRUST CTX. When comparing indicators contributed by participants using current cyber discovery methods versus what was detected using breach detection systems during the reporting period, it was found that 286 times more IOCs were identified. Also of note was that 24 percent of those identified IOCs were new and not previously submitted by any source to the HITRUST CTX.

“Achieving the ultimate benefits of cyber threat intelligence sharing requires certain key threat indicator requirements be met,” said Dave Kaercher, Chief Information Officer, Blue Cross and Blue Shield of Kansas City. “Based on our experience participating in the HITRUST CTX, we better understand the requirements and what has limited us in achieving them to date, and we feel confident we can now address them.”

A significant part of the equation for improving the efficacy of threat intelligence sharing is the ability of participants to gather IOCs quickly, accurately, and completely and share in near real-time with the HITRUST CTX. The accuracy, timeliness, and completeness of an IOC directly relates to making an indicator actionable. IOCs become less valuable over time and need to contain a minimum dataset in order for them to deliver optimum value.

HITRUST has identified breach detection systems as a class of technology that offers the greatest potential to meet the requirements for improving the accuracy and timeliness of the IOC collection while being practical to obtain, deploy, and operate for a health industry organization of almost any size. To evaluate the effectiveness, Trend Micro Deep Discovery systems, which incorporate specialized detection engines and custom sandboxing, were deployed at certain HITRUST CTX participating organizations. In addition to identifying substantially more unique IOCs, they provided additional metadata to make them actionable, while securely and seamlessly submitting them to the HITRUST CTX within minutes of discovery.

“Cyber threat intelligence sharing still holds the greatest potential to enhance situational awareness and improve organizational cyber preparedness,” said Daniel Nutkis, CEO, HITRUST. “Development of the IOC collection requirements and our deployment of breach detection systems are a big step forward in advancing industry’s cyber intel sharing capability.”

Industry Call to Action

In addition to the findings, the report identifies requirements, guidance, and recommendations regarding the sharing and submission of cyber indicators. These include:

  • Establish Detailed Requirements for IOC Sharing: As part of the report’s recommendations, the ability to have access to more comprehensive, complete, and timely IOCs from across various segments of the industry is a vital part of the healthcare industry’s efforts to advance threat intelligence information sharing and collection. The current lack of clear guidance on IOC sharing and what constitutes a complete IOC has led to an overall reduced quality of IOCs.
  • Commence an Enhanced IOC Sharing Pilot to Quantify the Benefits and Identify Any Issues: A pilot group has been convened to evaluate the benefits to participating organizations and industry as well as any risks or concerns.
  • Evaluate Methods to Incentivize Organizations to Actively Engage in Cyber Threat Information Sharing: Currently there are no incentives for organizations to contribute IOCs to information sharing and analysis organizations. Many do it because it is the right thing for industry and no other reason. The current models do not limit what is consumed or distributed based on the level of contribution or engagement, providing no incentives for organizations to actively contribute their IOCs.
  • Ensure HITRUST CTX has Near Real-Time Cyber Threat Indicator Visibility Across Key Segments of the Health Industry:  To ensure IOC collection from across the industry, HITRUST will make available, free of charge, 50 Trend Micro Deep Discovery systems to healthcare organizations representing each segment of the healthcare industry. This state of the art technology will provide greater visibility into the cyber threats targeting their environment. Additionally, these devices will submit IOCs to HITRUST CTX and hence improve its unique visibility and situational awareness of cyber threats and attacks occurring across the entire industry in near real-time.

HITRUST is developing selection criteria to identify organizations to receive one of the 50 Trend Micro Deep Discovery systems slated for distribution. HITRUST anticipates this criteria being available within the next 45 days.

To read the HITRUST CTX findings and recommendations report, please view the Health Industry Cyber Threat Information Sharing and Analysis Report.

About HITRUST Cyber Threat XChange

The HITRUST Cyber Threat XChange (CTX), powered by Threat Stream technology, was created to significantly accelerate the detection and response to cyber threats targeted at the healthcare industry. HITRUST CTX automates the process of collecting and analyzing cyber threats and distributing actionable indicators in electronically consumable formats that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry.

For more information, visit


All product and company names herein may be trademarks of their respective owners.

Chat Now

This is where you can start a live chat with a member of our team