HSCC Shares Best Practice Cyber Threat Information Sharing Guidance

The Healthcare and Public Health Sector Coordinating Council released best practice guidance around cyber threat information sharing programs to help healthcare organizations develop and manage these enterprise programs.

The guide builds upon earlier HSCC guidance that listed key information sharing organizations, a resource into these groups as a way to fuel necessary threat information sharing. Key groups include the Health Information Sharing and Analysis Center (H-ISAC), government resources, and other information sharing groups.

The latest guidance sheds light on ways healthcare organizations can manage the information they’ve gained from participating in these collaboratives. Officials said the publication completes imperative six from the 2017 Health Care Industry Cybersecurity Task Force report.

“Information sharing programs, when done properly, produce significant benefit at low risk for the organizations that participate,” Errol Weiss, chief security officer of H-ISAC and HSCC co-chair, said in a statement.

In fact, HSCC explained that these programs can help organizations improve their own security posture through “shared situational awareness,” as it’s likely an attack on one provider is one that has been used before on another healthcare organization.

“When an organization participates in an information sharing program, they will often learn about attacks and mitigations before they are targeted,” researchers explained. “Having knowledge about what attacks other firms are facing gives the organization an opportunity to prepare.”

These programs also allow healthcare providers, especially those with limited resources, to crowdsource cybersecurity expertise, while strengthening community trust and resilience.

“A chain is only as strong as its weakest link, and in today’s connected healthcare environment, one of the best ways to increase the strength of the chain is through information sharing programs,” researchers wrote.

“Cybersecurity threats evolve at a rapid pace, and the ability to stay abreast of continuous developments, coupled with ever-increasing technological environments can be proactively addressed through the quick sharing of actionable intelligence,” they added.

Before joining an information sharing program, healthcare organizations will need to prepare policies and procedures.

The HSCC guide provides recommendations for providers on ways to establish information sharing goals and objectives, implement governance models or regulatory compliance, categorize information sharing assets, create a governance body, invest in a third-party review, and establish sanitization rules.

Organizations will also need to ensure they pull the legal team into the information sharing process to educate the team on the value and scope of the process and reduce the likelihood of roadblocks within the enterprise. The legal team should be engaged early in the process, and providers should consider dedicating resources to legal outreach.

The guide aims to give healthcare organizations an effective and efficient way to bolster information sharing. Officials said the hope is providers will use the document for their own information sharing programs, as it can be customized to their environment.

Specifically, organizations can find insights on the types of information that should be shared in these programs, including intelligence around strategic, tactical, operational, technical, and open source data, as well as the sharing of industry best practices and incident response information sharing.

For example, organizations can find and share information around addressing third-party vendor risk, intelligence gathering techniques, how to present cyber risk to the board, securing IoT and big data, and changes to laws and regulations that could impact an organization’s security policies.

Further, the guidance provides ways to share this information, including the traffic light protocol and legal protections, along with whom to share the data.

“The success of information sharing in any community relies on the trust established between individuals,” the guide concludes. “Trust is a requirement when an individual wants to share sensitive information with others. Trust is a human quality and can’t be replaced by automation.”

HSCC recommends healthcare organizations get involved with the information sharing community to both build and maintain trust networks, including hosting and attending in-person meetings with cybersecurity professionals, as these relationships “will help establish a network of trust in the wider information sharing community.”

These insights mirrors insights shared with Congress last year by the American Hospital Association, American Medical Association, CHIME, and HITRUST, among others, which concluded to improve cybersecurity across the sector, a collaborative, proactive approach is needed.

“While adversaries, aside from sophisticated threat actors, tend not to coordinate their campaigns with other actors, and thereby share resources and knowledge, every healthcare organization is subject to innumerable threats against every exposed system,” the Institute for Critical Infrastructure Technology wrote, at the time.

“Meaningful collaboration has proven one of the most under-utilized, cost-effective, and impactful strategies organizations can engage to mitigate hyper-evolving cyber threats,” they added. “Threat sharing initiatives allow for stronger data protection and more importantly, for proactive deterrence options instead of reactive remediation efforts.”