- Industry stakeholders recently met at a Subcommittee on Oversight and Investigations hearing on how to improve healthcare cybersecurity. Stronger healthcare information sharing was underlined as a key factor in strengthening the public-private partnership.
Greater coordination and leadership are necessary to overcome the increasingly sophisticated cyber threats.
Chairman Tim Murphy stressed that healthcare “has long struggled to coalesce around the public-private partnership model, especially with respect to cybersecurity.”
“Cybersecurity incidents can result in life or death situations if a medical device is hacked, or an attack shuts down a hospital’s computer systems,” Murphy said in his opening statement. “Cybersecurity is a collective responsibility and that is why it is imperative that this sector find a way to come together to find a sustainable path forward.”
National Health Information Sharing and Analysis Center (NH-ISAC) President Denise Anderson called on Congress to encourage more education and facilitation of information sharing, and to also instill better protections for information sharing.
“One of the greatest challenges for the NH-ISAC and all ISACs is the lack of awareness amongst the critical infrastructure owners and operators, particularly the smaller owners and operators, that the ISACs exist and are a valuable tool,” Anderson explained. “Numerous incidents have shown that effective information sharing amongst robust trusted networks of members works in combatting cyber threats.”
Anderson added that one of the five core functions of the NIST Cybersecurity Framework is to have a mature cyber risk management strategy. External communications and coordination around cyber security threats, response, and best practices are critical for that risk management strategy.
“In other words, membership in an ISAC or ISAO is an essential element of a successful cyber risk management strategy,” she stated. “Likewise, the most recent draft of the White House cybersecurity executive order calls for an assessment of how government can support critical sectors’ cyber risk management programs.”
Anderson also noted that “confidential information shared amongst the members of an ISAC should be considered protected information and not subject to disclosure.”
The confusion between the ISAC definition and the ISAO definition must also be eliminated, she continued.
“ISACs offer several vehicles to share effective techniques and practices for preventing, detecting and managing cyber security risk that are often un-conventional controls (definition: controls that are designed and implemented independent of any risk framework, standard or regulatory guidance),” Anderson clarified. “ISAOs don’t offer vehicles for this type of sharing.”
Finally, Anderson said that cybersecurity professionals should be established as SSA liaisons. Government representatives who understand cybersecurity issues, threats, vulnerabilities, impacts, and the blended threats between physical and cybersecurity are necessary.
“Having an established, clear government ‘go to’ lead in this area is imperative to strengthening the partnership and improving the overall cyber security posture of the health and public health sector,” she stated.
Overall, Anderson maintained that healthcare information sharing needs to be voluntary, industry driven, actionable, timely, and relevant, as well as bi-directional and collaborative.
The government can aid information sharing by encouraging owners and operators of critical infrastructure to join their respective sector ISACs and to offer financial incentives (i.e. tax breaks) for owners and operators to join ISACs.
Furthermore, the government can do the following, she said:
- Recognize ISACs and the unique operational role that they play in critical infrastructure protection and resilience
- Protect information sharing by ensuring confidential data shared amongst members is protected from disclosure
- Place strong, defined and permanent cybersecurity liaisons and leadership within the SSAs to advocate the public private partnership when it comes to cyber matters
Information sharing is designed to “create situational awareness” so risk-based decisions can be made, Anderson explained.
It should also “allow operational components within owner/operation organizations that have direct actionable control over the content they are sharing, to perform an action.
“The focus needs to be on enhancing the ability of operational groups to work closely with each other.”