- As cybersecurity threats continue to evolve, healthcare information sharing can be a boon to organizations of all sizes. Industry stakeholders can learn best practices, and see how others in the sector are working to prevent data security issues.
Healthcare critical infrastructure is one specific area that can be strengthened with information sharing, HIMSS Director of Privacy and Security Lee Kim, JD, CISSP, CIPP/US, FHIMSS, noted in a recent blog post.
“Information sharing is useful for all types of incidents and threats,” Kim wrote. “Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat).”
For healthcare specifically, Kim explained that information sharing can occur within any organization, sector-wide, or even occur between or among several critical infrastructure sectors and/or industries.
Furthermore, healthcare information sharing can include data on insider threat incidents and cyber threat incidents – such as incidents stemming from a cyber attack.
Staying ahead of potential threats will also be key, Kim pointed out. Threats are when there is potential for an incident to take place, while an actual data security incident means something has occurred. For example, there may be a threat for a cybersecurity attack if a hospital finds outdated or unpatched software. However, detecting the potential threat early could prevent an actual data security incident from happening.
“DHS defines a threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property,” she stated. “An incident, according to DHS, is an occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action.”
HIPAA regulations also specify when an actual PHI data breach has taken place.
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information,” HHS states on its website. “An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment…”
Understanding the difference between a threat and an incident are important for healthcare, Kim added. There are also several factors to consider when creating or even enhancing an information sharing plan.
For an incident, organizations should know what happened, how it was discovered, what was the loss, harm, or damage, and also what is the proof that the incident happened. The right team members should also be involved, she stressed.
“If a cybersecurity incident has occurred, be sure to involve your information technology (“IT”) security officer,” Kim wrote. “This individual will be able to understand, communicate, and/or investigate the security incident at a technical level.”
“Of course, some cybersecurity incidents necessary involve privacy issues (e.g., root cause of an incident, potential breaches of patient information, etc.), so be sure to involve your privacy officer, as appropriate,” she continued.
A healthcare information sharing culture should be encouraged, Kim explained. Otherwise, incident communication could be delayed, which could bring further harm to an organization.
Good information sharing is good for privacy and security in healthcare organizations, she concluded. This is a necessary practice to protect both the entities themselves as well as their patients.
“Information sharing matters because we all need to be aware of what is going on and understand the consequences of what may occur,” she said. “We all can be the eyes and ears of an organization. In addition, we can be gatekeepers, in the sense of assisting our organizations in responding to incidents as soon as they occur.”
The AHA also stressed the need for more information sharing, along with greater law enforcement involvement, in a statement submitted to members of Congress earlier this year.
Law enforcement agencies should be given more resources to proactively share information, AHA said in a letter to members of the House Energy and Commerce Subcommittee on Oversight and Investigations in a hearing on public-private partnerships for healthcare cybersecurity.
Healthcare is participating in information sharing to encourage stronger cybersecurity measures, but more law enforcement aid is needed, the AHA explained.
The Nation’s Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC) and Health Information Trust Alliance (HITRUST) provide information sharing opportunities, the agency pointed out. Furthermore, the Cybersecurity Act of 2015 encourages information sharing among private sector and federal government entities.
“With that said, the increased information sharing is not yet a reality, and expedited and tailored cyber threat information sharing from the federal government would benefit all health care and public health organizations,” the AHA wrote. “Providers most need actionable information that identifies specific steps they can take to secure against new threats.”