- Last week, The Information Sharing and Analysis Organization Standards Organization (ISAO SO) released several documents on cybersecurity information sharing guidance, focusing on cybersecurity risks, incidents, and best practices.
One document in particular, ISAO 300-1, could have specific ramifications for healthcare cybersecurity sharing as it discusses privacy and security aspects of cybersecurity risk.
“This document describes a conceptual framework for information sharing, information sharing concepts, the types of cybersecurity information an organization may want to share, ways an organization can facilitate information sharing, as well as privacy and security concerns to be considered,” explained a document summary.
Along with discussing basic concepts of cybersecurity information sharing, the document highlights the makeup of a potential cybersecurity information sharing program for those considering forming a new ISAO. It also discusses how to update existing ISAOs.
There following are also important steps to consider when sharing information, according to the document:
- Provide a platform for and facilitate member sharing
- Implement and manage technology that gathers information
- Subscribe to a third-party service providing threat intelligence feeds
- Collect, aggregate, and disseminate open-source reporting
- Collect, aggregate, and disseminate reporting from partner organizations.
- However, information privacy and security cannot be overlooked.
“At a minimum, privacy considerations should include the individual members of an organization, the privacy of any individuals whose data may be included in cyber threat indicators to the extent provided by law, and a full range of other constituencies, customers, and individuals,” the document stated. “To adequately protect privacy while accomplishing the goals of an ISAO, it is important for the ISAO to provide guidance to members, participants, and ISAO staff that will be helpful in striking a balance between allowable sharing of cyber threat information and protecting privacy.”
The other documents released by ISAO SO included an overview of ISAOs, guidelines for establishing an ISAO, and one addressing federal laws and regulations that relate to ISAOs.
Rick Lipsey, Deputy Director of the ISAO SO, said in a statement that the publications should help build a large information sharing ecosystem.
“However, they are just the beginning,” he added. “The ISAO SO is helping the community to evolve a consensus-based corporate body of knowledge. We anticipate updating and expanding these guidelines based on feedback from their implementation.”
Over 160 experts from industry, government, and academia, helped contribute to the documents, explained Executive Director of the ISAO SO Dr. Greg White. The public also added some feedback and input, he said. Comments and feedback were submitted to Working Groups from public online meetings, in-person public forums and Request for Comment periods for previous drafts.
“The issues of cybersecurity and the threats to our nation and the global economy require the sharing of information in ways that ISAO’s will be well suited to accomplish,” ISAO SO Advisory Partner Brian Engle said. “As the leader of a sharing organization that formed almost two years ago, I can say that the considerations provided by these initial guidelines will be extremely helpful in supporting the success of forming ISAO’s, and the continued work of the ISAO SO will be pivotal in the development of the cybersecurity information sharing ecosystem.”
Healthcare cybersecurity information sharing has been a key issue recently, especially with the Cybersecurity Information Sharing Act passing late last year. The legislation was designed to help industry professionals connect via a network so that they can better exchange information when it comes to potential cybersecurity threats.
In September 2016, the Healthcare Information and Management Systems Society (HIMSS) responded to a National Institute of Standards and Technology (NIST) request for information and said that health IT will play an important role in improving overall healthcare cybersecurity measures.
HIMSS said that there needs to be more outreach to healthcare when it comes to cyber threat information sharing with information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs).
“Healthcare organizations need to improve their baseline security,” the letter explained. “Many organizations still have a reactive stance towards cybersecurity. Healthcare organizations can improve their security posture by adopting and implementing a framework, such as the NIST Cybersecurity Framework.