Written by HITRUST Independent Security Journalist Sean Martin.

The results are in, and HITRUST’s latest industry pilot project to improve the collection and sharing of cyber threat Indicators of Compromise is helping aid organizations in reducing their cyber risk.

Indicators of Compromise, or IOC, are shared data objects that describe, with a high degree of confidence, that an intrusion may have taken place or that a threat actor is operating within a target environment. An IOC includes not only hard factual data, but also context and metadata that help describe the threat be understood and processed.

The results of HITRUST’s Enhanced IOC Collection Pilot indicate that healthcare organizations, when collecting and sharing detailed IOCs — as defined in “Health Industry Cyber Threat Information Sharing and Analysis Report,” published November 2015 — can dramatically improve the timeliness, completeness, usability and volume of IOCs submitted to the HITRUST Cyber Threat XChange (CTX) database.

One way the pilot made a difference: 88% of the IOCs collected were unique – that is, not previously seen or identified by any open source, DHS CISCP, leading commercial feeds or otherwise contributed to the HITRUST CTX. This increase in unique submissions means healthcare organizations can better prepare themselves for, and respond faster to, new threats that could be heading their way.

The pilot also proved that threat information sharing shouldn’t be limited to only the largest organizations. HITRUST learned that the scalable sharing of IOCs is required throughout healthcare organizations of varying size, intelligence appetite, and security maturity.

Given the recent rise in ransomware and other malware targeted at the healthcare industry, these developments are extremely significant as they ensure the collection of more relevant and timely IOCs that can be consumed by a much larger percentage of the healthcare industry as a means to bolster their cyber defenses.

There were significant payoffs from the recent pilot project, and they will directly improve not only the quality of the HITRUST CTX, but also provide a tremendous resource for healthcare organizations and security researchers developing new defenses and countermeasures against the latest threats.

1. More unique information: In the past 30 days 88% of the IOCs collected by this pilot were not seen or known by any other open source, commercial, DHS CISCP, or user contributed feeds available to the HITRUST CTX.
2. More organizations reporting: 100% of organizations in the enhanced pilot reported IOCs to the HITRUST CTX. Before, only a small percentage of organizations – 5% – contributed IOCs.
3. Incidents reported faster than from other sources: On average IOCs were reported to the HITRUST CTX 1.2 days before being seen or identified by any other open source, commercial, DHS CISCP, or user contributed feeds to the HITRUST CTX.
4. Incident submission times accelerated by orders of magnitude: IOCs were submitted in a matter of minutes to the HITRUST CTX. Before the trial, many organizations were not effectively identifying IOCs and the ones contributed were submitted on average 7 weeks after detection.
5. More of the IOC data can be used by security professionals: In the pilot project, fully 95% of the IOCs contributed to the HITRUST CTX had metadata (for example malicious IP’s, URL’s or domains) that made them useful in allowing preventative or defensive action to be taken without a significant risk of a false positive. Before the pilot, only 50% of the IOCs contributed to the HITRUST CTX were considered actionable.

Putting CTX into Action

The HITRUST CTX was created to significantly accelerate the detection and response to cyber threats targeting the healthcare industry. CTX automates the process of collecting and analyzing cyber threats via IOCs, and then distributes actionable indicators to help you improve your defenses. Think of CTX as an early warning system for the healthcare industry.

In addition, for those organizations who do not currently deploy Security Information and Event Management (SIEM) technologies, the HITRUST CTX can now leverage log data from security and network products (e.g. firewalls, gateways) to extract potential IOCs for in-depth analysis and reporting of potential threat information. This approach allows healthcare organizations of any size or maturity to be able to leverage their threat intelligence to know if they have systems communicating to known-bad IPs, domains or websites or other threats within their networks.

More than ever before, it’s easy for any healthcare organization to sign up, contribute, consume, and easy to take action on shared threat intelligence.