HSCC Shares Resource on Threat Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council unveiled guidance on cybersecurity information sharing organizations in the healthcare sector, its fourth cybersecurity resource released as mandated by the Health Care Industry Cybersecurity Task Force.

The HSCC is public-private partnership of health companies and providers that develops collaborative solutions to mitigate threats to the industry. It is one of 16 critical infrastructure sectors organized to partner with the government under Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience.

The group is made up of over 200 medical device and health IT companies, direct patient care entities, plans and payers, labs, blood and pharmaceutical companies, and several government partners.

Most recently, HSCC released a guide on bolstering healthcare security teams through the use of IT leaders and college students.

Its latest resource, the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), is designed to identify the most widely recognized ISOs for the healthcare sector and other industries at a national level to keep the simple guide more manageable.

The hope is to give healthcare providers insight into groups that support information sharing and methods to tap into these resources, while stressing the necessity of threat and information sharing. Current ISOs include HITRUST, MED-ISAO, H-ISAC and a host of others. The complete guide to these groups provides details on their missions, how information is shared, and potential fees.

“Many health organizations are beginning to understand the importance of cybersecurity information sharing but don't know where to start,” said Errol Weiss, chief security officer of the health information sharing and analysis center and HSCC task group co-chair.

“With cyberattacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement,” he added.

The healthcare sector is dogged by limited resources and a security staffing shortage, which makes threat sharing with other organizations crucial to helping the sector keep pace with the rapidly evolving threat landscape.

However, many organizations are unsure of where to begin with the process. HSCC officials explained that implementing information sharing into typical cybersecurity practices can be daunting due to the number of potential information sources, number of departments and functions within an organization, and the need for executive-level decision making related to system operations and business continuity.

To get started, organizations without an existing enterprise information sharing program should research available sources of information. HSCC officials explained that the HIC-MISO can serve as a sound starting point for those organizations.

Providers should also consider speaking with their primary vendors about the ways they supply information and whether those vendors are current members of a particular sharing organizations. HSCC explained that there are both free and paid services that can also assist these organizations with basic cybersecurity information to assist as they develop these processes.

Organizations should also build an information flow chart that should include who will receive shared cybersecurity information from their sources, how it will be evaluated, and the actions needed as a result of the evaluation.

“Don't be afraid to start simple! The process will mature as you perform it,” HCSS officials wrote. “Cybersecurity is a journey, and information sharing is no different. It is easy to feel overwhelmed with options. Remember to start small, with what you consider to be the most important information, and then to expand as you gain confidence in the new system.”

HSCC intends to follow-up the HIC-MISO by developing best practices for building an information system into an existing cyber risk management program.

“The target audience consists of health providers and companies that are not likely to have the resources or expertise to participate in more than one or two of these groups,” HSCC Information Sharing Task Group co-lead Bill Hagestad, said in a statement.

“In preparing this resource, the task group recognized the broad range of budgets and capabilities across the sector, and accordingly we will begin work to supplement the HIC-MISO with a guide for how organizations can establish an information sharing management structure appropriate to their enterprise size, resources and risk profile,” he added.