- Earlier this month, the Subcommittee on Cybersecurity and Infrastructure Protection of the Homeland Security Committee held a hearing to determine the value and effectiveness of the current engagement between the private sector and the Department of Homeland Security (DHS).
DHS wanted to see what made particular outreach efforts successful, and how the private sector was approaching cybersecurity.
HITRUST CEO Daniel Nutkis testified at the hearing, sharing how healthcare has worked with DHS on cybersecurity issues and what the industry is doing in terms of cyber information sharing and other cyber initiatives.
Nutkis highlighted three programs to show how DHS has successfully collaborated with healthcare for improving cybersecurity measures.
First, Nutkis discussed the Enhanced Indicator of Compromise (IOC) Program, which helped improve the number of unique IOCs it shares across healthcare organizations each month. Specifically, there was an increase from 186 unique IOCs in September 2015 to 5,158 in September 2016.
“Threat information sharing does not need to be limited to the largest organizations and that the scalable sharing of IOCs can be achieved throughout healthcare organizations of varying size, intelligence appetite, and the maturity of an organization’s security program,” Nutkis explained in his testimony. “The results of the Enhanced IOC Collection Pilot indicate that healthcare organizations can dramatically improve the timeliness, completeness, usability and volume of IOCs contributed to the HITRUST CTX by implementing the enhanced IOC criteria.”
Nutkis also pointed out the success of the Health Sector implementation guide for the NIST Cybersecurity Framework. The guide was developed by the Health and Public Health Sector Coordinating Council (SCC), Government Coordinating Council (GCC), HITRUST, and other sector members, including the DHS Critical Infrastructure Cyber Community.
The Sector Guide supports implementation of a sound cybersecurity program that addresses the five core function areas of the NIST framework to ensure alignment with national standards, help organizations assess and improve their level of cyber resiliency, and provide suggestions on how to link cybersecurity with other information security and privacy risk management activities in the Healthcare Sector. The Healthcare Sector leverages the HITRUST risk management framework, including the HITRUST CSF and CSF Assurance Program to effectively provide the sector’s implementation of the NIST Cybersecurity Framework.
Finally, Nutkis reviewed Automated Indicator Sharing (AIS), and how HITRUST has worked with DHS to encourage the sharing of cyber threat indicators.
“The HITRUST CTX is fully integrated with AIS and supports bi-directional cyber threat indicator exchange to better aid organizations in reducing their cyber risk,” Nutkis stated. “AIS has the potential to facilitate the sharing of crucial cyber threat information from across organizations, corporations and federal agencies in real time.”
Cybersecurity threats are on the rise, which is why bi-directional integration into the AIS program will ensure relevant and timely information sharing. This will strengthen the nation’s overall infrastructure cyber posture, he maintained.
Nutkis also argued that the private sector must be considered an equal partner in creating strong and applicable cybersecurity measures.
“We appreciate and recognize that each industry has unique dynamics and challenges with regards to CTI sharing, in healthcare they include organizational size, technical maturity, medical devices and other control systems, but that doesn’t warrant interjecting another intermediary and certainly not one that regulates and has responsibility for fines and other financial penalties,” he explained.
Cyber information sharing has been, and will continue to be, an essential aspect of HITRUST’s approach to cybersecurity and cyber risk management, Nutkis concluded. Information sharing is just one small piece to the larger puzzle of an organization’s risk management program.
“HITRUST continues to develop innovations such as the Healthcare Sector Cybersecurity Framework Implementation Guide, and enhance its security and privacy framework and assurance programs,” he said. “We value the partnership of DHS in these efforts and look forward to their continued support.”