Cyber Info-Sharing Guide for Healthcare Sector UpdatedSector Urged to Broaden Information Sharing Beyond Traditional Indicators
Public-private cybersecurity councils urged the healthcare industry to be more expansive in sharing signs of hacking, warning that traditional indicators aren't enough to defend against modern cybersecurity threats.
The U.S. federal government has proselytized information sharing among critical infrastructure sectors as an antidote to hacking for more than a decade now. Two organizations set up to smooth the way for tighter collaboration within the health sector and with the government now say information sharing must go beyond indicators of compromise and attack tactics, techniques and procedures.
The Health Sector Coordinating Council and Health Information Sharing and Analysis Center in newly revised guidance say that fending off hackers requires additional shared data such as SIEM rules and automated response playbooks.
Traditional indicators are critical to proactively mitigating attacks, the guide, published Aug. 22, says. Still, "modern cyber security programs are expanding the scope of information sharing by including threat defender and defense content and resources." The guide, the Health Industry Cybersecurity Information Sharing Best Practices, updates an earlier version published by HSCC and H-ISAC in March 2020.
"People don't understand what's useful to share, and there's often resistance inside organizations to share - especially when incidents happen - because they fear the information might be harmful if it became public," said Errol Weiss, chief security of the Health H-ISAC and co-chair of the HSCC task group that developed the document.
The updated guide walks through those challenges and provides specific recommendations on how to overcome these common obstacles, he told Information Security Media Group.
Other new additions include a section on information sharing protections related to the European Union’s General Data Protection Regulation and recent intelligence sharing case studies.
That includes a situation earlier this year when a pro-Russian hacktivist group targeted dozens of healthcare entities for distributed denial-of-service attacks.
The guide describes how a health sector organization on Jan. 27 observed on messaging platform Telegram that a KillNet associate, KillMilk, had a list of hospital organizations it was planning to hit with denial-of-service attacks. That list quickly made its way to information-sharing organizations, which in turn warned the targeted hospitals and the sector at large (see: HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals).
"DDoS attacks began taking place on the day the adversary specified, Jan. 30, but were successfully mitigated through rapid sharing of indicators of compromise pertaining to the KillNet infrastructure, targeted alerts sent from the information-sharing community to organizations present on the list, and sharing best practices with the sector at large," the revised document says.
The HSCC also recently issued a companion resource to the updated HIC-ISBP document. That new guide, Matrix of Information Sharing Organizations, identifies and describes for the healthcare and public health sector numerous information-sharing organizations and their key services.
Those groups range from healthcare industry-specific cyber info-sharing organizations - such as H-ISAC, the Health Information Trust Alliance, and the Department of Health and Human Services' Health Sector Cyber Coordination Center - to broader cross-sector organizations, including the Department of Homeland Security's Cybersecurity Infrastructure and Security Agency and the FBI's Infragard.
Federal authorities are also touting the importance of healthcare sector entities participating in cyberthreat intelligence-sharing activities.
Those include info sharing between healthcare industry organizations, the security intelligence community, researchers and international law enforcement partners, as well as U.S. government agencies, such as CISA, said the agency's deputy director, Nitin Natarajan, during a keynote address at the ISMG healthcare security summit in New York in July.
CISA has made hundreds of notifications so far this year to the healthcare and other sectors, he said.
"If we know that an adversary has essentially dropped a payload onto somebody's network, we're able to call them and say, 'Somebody's on your networks. We've seen indicators of compromise. These are steps you can take to evict that adversary before they lock up your network," he said.