- The National Health Information Sharing and Analysis Center (NH-ISAC) constantly stresses the need for threat intelligence sharing in the healthcare sector, especially as cybersecurity threats grow increasingly sophisticated.
Healthcare has been called upon to embark on a fairly rapid mobilization as a sector, both technologically and structurally, to be able to deal with ever-evolving cyber threats, explained Healthcare and Public Health Sector Coordinating Council (HSCC) Executive Director for Cybersecurity Greg Garcia.
It’s only recently that healthcare has become such a target, he explained, and the sector has had to mobilize pretty quickly.
NH-ISAC is a member of the Council, and HSCC and NH-ISAC are effectively two sides of the same critical infrastructure and protection coin, he told HealthITSecurity.com.
“At a more strategic level in the sector council we are recognizing that we have a responsibility to the sector and to our customers, the patients, that we have to recognize those cross sector interdependencies and work together to solve some of the problems,” he said. “All of this is really on a fairly rapid growth trajectory in terms of awareness and activity.”
In March 2018, NH-ISAC and Anomali announced they were partnering together to help strengthen secure healthcare data sharing by providing better infrastructure and cybersecurity collaboration options.
A critical component of any cybersecurity risk management program is to have timely and actionable intelligence about threats and vulnerabilities in the environment, Garcia stated. Additionally, organizations need to have that in their own systems and be able to actually act on that intelligence.
“NH-ISAC as its name says, is an information sharing and analysis center,” he explained. “These companies joined because they recognize that there is strength in numbers, and the principle motives that none of those individually is as smart as all of us collectively.”
“If we’re not serving in that ‘neighborhood watch’ as it were, we’re not going to be able to see around the corner if someone is coming at us.”
The Anomali platform is critical to that approach because many healthcare providers have limited resources with being able to collect, analyze, and make sense out of cybersecurity threats, Garcia said. Whether at a technical or contextual level, entities do not always know what to do with the information and may not be able to digest it all.
“The Anomali platform helps our members automate the flow of information and then correlate it in a way that makes sense of it, analyze it, and then distribute it across a trusted circle of member organizations who can provide their own fees,” he explained.
“You feed in and you take out,” Garcia continued. “The end result is a much richer and actionable set of intelligence that’s going to help us reduce our attack surface, help us reduce the threats and the vulnerabilities, and create actual improvements and response.”
Threat intelligence sharing is a critical tool for healthcare organizations, especially with the current state of cybersecurity, he stressed.
Healthcare has a number of sub-sectors. There are the providers like hospitals and family practices, but there are also medical device makers, pharmaceutical companies, payers, and insurance companies.
“One of the common elements across the sub-sectors is personal health data,” Garcia pointed out. “What we need to be doing across all of the sub-sectors within healthcare is to be sharing intelligence about those kinds of threats and attacks that are trying to get at that personal health data.”
Personal health data very rich in information, he said. Along with medical history, payment information, date of birth, credit card information, and a variety of other things are connected. All of which are valuable on the dark web and in the black market, Garcia stated.
“It’s a common need among all healthcare providers to protect personal health data,” he said. “From there it moves out into other areas like medical device security.”
“How do we ensure that there are not malware, viruses, or other threats that can compromise the functioning of a medical device that is providing patient care or life support?” Garcia continued. “Then we move out from there to pharmaceutical companies that have patents and research into clinical pharmaceuticals and drugs for healthcare. They want to be able to protect that intellectual property from theft.”
There are many different touch points that are vulnerable to attacks, but all of those organizations are interconnected, Garcia posited.
“It’s a value chain of information,” he said. “When I go to the doctor, the doctor orders me a prescription. I take the prescription to the pharmacy, and the pharmacy submits it to the insurance company. All of these are touchpoints in the value chain of healthcare delivery that have to be protected.”
“We need to be doing that together,” Garcia added. “We need to be doing that collaboratively and in an interdependent, interconnected way.”
That collaborative protection is the essential point of information sharing because it cannot be done alone. Each individual sub-sector in the healthcare industry cannot do it alone or the adversaries will get ahead.
Create a comprehensive approach to healthcare cybersecurity
The Council is trying to ensure that healthcare has a cross disciplinary membership of people who deal with certain longer term strategic concerns. This includes public policy, regulatory, compliance issues, legal, privacy, and government relations.
All of the healthcare stakeholders are convening in the sector council to think about how they can work better with the government and how they can share information better with the government. Additionally, stakeholders want to know how they can get the government to give them more timely and relevant information.
Cybersecurity regulations or regulatory structures that are hanging over the healthcare sector are well-intentioned and necessary, Garcia admitted. However, there are some cases with instances where different regulatory means actually conflict with one other. Or the regulatory means overlap where they duplicate, which can make it more difficult for healthcare providers and others to do the necessary mitigation.
“They’re responding to too many audits and conflicting sets of questions about how cyber secure they are, when it’s really distracting from the mission to protect data and infrastructure,” he said.
“We look at things like regulatory uniformity,” Garcia continued. “We look at longer term issues like workforce development. How do we get more cybersecurity talent into the healthcare sector?”
Employee training is also essential for comprehensive healthcare cybersecurity. Work force issues often include finding the right way to train doctors, nurses, clinicians, and others who are not cybersecurity professionals to know when and how to do the right thing with keeping data secure.
The NIST Cybersecurity Framework is a great way for organizations in numerous sectors to apply the best cybersecurity program for their operations, Garcia suggested.
“Every industry sector has unique circumstances, unique business models, threat profiles,” he said. “It’s important for each of these sectors to look at the NIST Framework and try to map that framework to the specific needs of the sector, to tailor it.”
“That’s particularly important for the small- and mid-sized community and regional healthcare providers, hospitals, family practices that don’t have the resources or don’t really understand cybersecurity.”
The larger, well-resourced, and sophisticated companies tend to have the set of tools to implement the NIST CSF in a way that’s cost-effective and scalable, Garcia stated.
“But the sector coordinating council is here in part to try to drive best practices as broadly as possible across the sector,” he explained. “The more hospitals and companies that are implementing sound cybersecurity practices, the better all of us are collectively. We’re trying to create more, better security across the ecosystem. The best way to do that is by getting some uniformity into how we manage our cybersecurity.”
Working with the government for stronger cybersecurity is an ongoing challenge, Garcia said. From previously working at the Department of Homeland Security, he explained that the government deals with a lot of classified information that is collected from the intelligence community.
“How do we translate classified information into something that the actual stakeholders like hospitals, banks, or electric companies can take and operationalize and protect their networks?” he stated. “There are still many in the government who are of the mind that information is about ‘need to know,’ and for us it’s about need to share. We’re making a lot of strides in that area and the Department of Homeland Security certainly is doing that.”
Information sharing overall though continues to make improvements, he added. For example, the Healthcare Cybersecurity and Communications Integration Center (HCCIC) has been an important step forward in that regard.
The government needs to realize that more regulation is not better, but rather that smart regulation is better.
“Resilient regulation is better because we are dealing with an industry that is in constant change, both technological change and changes in business models,” Garcia explained. “If we’re going to be able to protect that infrastructure and that business model we need to have a regulatory structure that’s as resilient as the technological innovation that’s driving it. That’s hard to do.”
It’s important to find that balance between the government’s authority and responsibility for ensuring patient safety, security, and privacy. The government must allow the private sector to do what it needs to do to protect those systems, and not encumbered it by too much regulation.
“As long as we continue to have these ongoing engagements with the government under this partnership structure that we do, then it leads to mutual understanding and joint initiatives to try to improve the environment,” Garcia concluded. “Everybody recognizes their roles and responsibilities here. As long as we stay at it, we’re making progress.”