HITRUST Piloting Threat Warning SystemCollaborative Effort Aimed at Sharing Cyber Intelligence
The Health Information Trust Alliance, in collaboration with several healthcare-related organizations, has developed and is piloting an automated early warning system to share cyberthreat intelligence.
The new HITRUST Cyber Threat XChange, or CTX, which will be available for a yet-to-be-determined fee in January, aims to accelerate the detection of and response to healthcare cyberthreat indicators, says Daniel Nutkis, CEO of HITRUST, which is best known for its Common Security Framework. That framework is designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.
HITRUST already makes threat information available through daily, weekly and monthly threat briefings through its HITRUST C3, a cyberthreat intelligence and incident coordination center, as well as in text communications that need to be imported into security monitoring systems. Organizations can subscribe to receive the alerts. The monthly briefings are free.But the new CTX alert system will issue updates that can be automatically loaded into SIEMs, or security information and event management systems, Nutkis tells Information Security Media Group.
For instance, if HITRUST receives threat information from healthcare organizations or other sources, such as the Department of Homeland Security's U.S. CERT, about significant suspicious activity from a particular series of IP addresses, the alerts will automatically trigger a participating healthcare entity's SIEM to look for or block traffic coming from those addresses, he explains.
HITRUST is working with "eight to 10 major SIEM vendors" to incorporate this alert information in standardized format into their systems for actionable response, Nutkis says. Additionally, for smaller or less mature healthcare organizations that do not yet have a SIEM systems, HITRUST plans to make available a SIEM system that will support the alert information, he says. "We're looking at open source [SIEM] products to provide an environment" for this offering to smaller organizations, he says. While pricing hasn't been figured out, "we don't want it to be price prohibitive," he says.
"Organizations of all sizes are getting the same threat information, but it's a matter of resources to figure out what to do with it," he says. The new alert system aims "to help equalize the playing field in the industry."
Nutkis says the alert system won't remove all the manual work involved in responding to cyberthreats, but it will help automate and simplify threat response and mitigation. For instance, "Patching still needs to take place. This can't fix everything, but it will help to understand and more quickly respond to threats," he says. "We're trying to make threat response faster and easier."
HITRUST will also continue to send out text alerts that will provide "contextual" background to security professionals about the threats.
The organizations working with HITRUST in developing and piloting the advanced warning system include Express Scripts, FireHost, Health Care Services Corp., Highmark Health, Humana, Seattle Children's Medical Center, UnitedHealth Group, University of Rochester Medical Center and WellPoint. Each is testing the alert system with their SIEMs, he says.
"The biggest challenge we face is not knowing how to prioritize and act upon the growing list of cyberthreats - especially in healthcare organizations that are being increasingly targeted yet are often limited by smaller staffs or resources, and burdened with threat analysis and incident response," said Cris Ewell, CISO at Seattle Children's Hospital.
"HITRUST collaborating with different healthcare leaders shows the level of urgency and commitment to do this," says Curt Kwak, CIO at Proliance Surgeons, a surgical practice based in Seattle, Wash., which is not involved in the pilot effort. Kwak says the flood of threat information and intelligence that healthcare organization receive can be overwhelming. "It's what you do with these alerts that will differentiate the successful groups from the not-so-successful groups. It will be a lot of data, and I'm also thinking there was a false alarms, buried in true, critical alarms. ... So how would one filter and prioritize all the data they will be receiving?"
If the HITRUST alert system catches on, "there will be peer pressure" among healthcare sector organizations to make use of the services or risk being less prepared to deal with threats and increasing risk of being victimized, says Kwak, who until June was CIO at the Washington Health Benefit Exchange, the Washington state health insurance marketplace under the Affordable Care Act.
But even if they use an automated system for cyberthreat awareness and response, CISOs and CIOs still need resources to follow up on threat mitigation, especially those that can't be automatically addressed through a SIEM system, Kwak says.
"These things don't happen overnight nor by magic. It takes a lot of hard work, collaboration and also organizations investing in people and in this strategy to make sure this works like it was meant to," Kwak says.
HITRUST says the CTX service will adopt and utilize the Structured Threat Information Expression (STIX), Trusted Automated eXchange of Indicator Information (TAXII) and Cyber Observable eXpression (CybOx) standards for transmission of information and will also support information exchange in other formats to facilitate adoption and participation.
The new alert system is the latest development from HITRUST in the organization's collaborative efforts to improve cybersecurity information sharing and response in the healthcare sector. HITRUST, along with the Department of Health and Human Services, is also planning to kick off this fall a second round of cybersecurity drills - CyberRX 2.0. The first drill in March was a two-day simulated cyber-attack exercise in which 12 organizations, including those in the pharmaceutical, insurance and provider sectors, participated (see How Healthcare Can Improve Threat Info Sharing).
The upcoming, free CyberRX 2.0 offering will expand the cyberdrills with a three-tier program that supports organizations of varying cybersecurity sophistication levels. The events that will take place beginning this fall and run through July 2015; approximately 750 organizations have signed on to participate, HITRUST says.