HSCC Releases Updated Guidance On Information Sharing Best Practices

August 24, 2023 - The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued an updated version of its “Health Industry Cybersecurity Information Sharing Best Practices” guide (HIC-ISBP) to help healthcare organizations craft and maintain a cybersecurity threat information sharing program.

Originally published in March 2020 in partnership with the Health Information Sharing and Analysis Center (Health-ISAC) the document serves to address barriers to information sharing and guide organizations toward overcoming regulatory obstacles that may make information sharing a challenge.

The document is a companion to another recently updated publication known as the “Matrix of Information Sharing Organizations,” which provides healthcare organizations with a list of reputable information sharing entities.

The latest version of the HIC-ISBP includes a new information sharing category, called "Threat Defender Content and Resources Sharing,” as well as a section on information sharing as it relates to the European Union’s General Data Protection Regulation (GDPR) and updated case study examples.

While information sharing may seem daunting, participation can mitigate risk across the sector. Benefits mentioned in the document include improved security posture via situational awareness, crowdsourced cybersecurity expertise, and improved cybersecurity innovation. In addition, information sharing can foster trust and resilience across the healthcare sector, unifying it against the cyber threat actors that aim to target US healthcare entities.

“Threat intelligence is one of the most important data types to information-sharing programs,” the document stated.

“While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors — threat intelligence data truly comes in a variety of forms and should encompass all risk vectors that could impact the healthcare industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks.”

The guidance goes on to identify different groupings of threat intelligence and their values to healthcare, such as strategic intelligence, tactical intelligence, operational intelligence, and open-source intelligence. Healthcare organizations can use this breakdown to build up their internal information sharing programs.

“Information sharing programs, when done properly, produce significant benefit at low risk for the organizations that participate,” said Errol Weiss, chief security officer of Health-ISAC, in an accompanying press release.

“This document provides Healthcare and Public Health Sector (HPH) organizations with a set of guidelines and best practices for efficient and effective information sharing.” 

In addition to identifying the types of information sharing, the HSCC CWG provided detailed guidance on how to prepare for information sharing, who to share with, and how to navigate compliance with key regulations.  

Weiss noted that the HIC-ISBP “addresses real and perceived barriers to information sharing that are often found from laws, regulations, corporate policies or management support, and will help organizations work through these obstacles.”