Healthcare Cybersecurity Info Sharing Resource UnveiledCo-Creator Describes How to Use New 'Cybersecurity Matrix'
A new resource designed to help healthcare organizations of all sizes engage in cybersecurity information sharing is now available. Co-creator Errol Weiss describes how to use it.
The Health Industry Cybersecurity Matrix of Information Sharing Organizations was recently released by the Healthcare and Public Health Sector Coordinating Council, a public/private collaborative for improving cybersecurity in the healthcare sector.
The new matrix provides an inventory of national cybersecurity information sharing organizations and resources for the healthcare sector, Weiss, who is co-chair of the a task group that created the resource, explains in an interview with Information Security Media Group.
The resource addresses a key imperative about the need for the healthcare sector to improve cyber information sharing that was included in a 2017 report by the Healthcare Industry Cybersecurity Task Force, an advisory group for Department of Health and Human Services (see: HHS Publishes Guide to Cybersecurity Best Practices).
Responding to Cyberthreats
The matrix includes a description of more than 25 cybersecurity information sharing organizations and their services.
"These information sharing and analysis centers started as a resource for peer organizations to better protect themselves from cyber incidents, and they've evolved over the years to include other kinds of cybersecurity information, including threats and vulnerabilities and best practices," Weiss says.
While some of these information sharing organizations "broadcast" information about cyberthreats, other organizations are "more collaborative," he says. For those that take a collaborative approach, members contribute incident information and peer experts weigh in with analysis and recommendations for how entities can protect themselves, he notes.
When there's a new vulnerability or other development, Weiss says, these organizations "can ascertain the threat level and criticality of a particular issue and how quickly organizations should react to it. We can take that information and share it in aggregate with the rest of the membership to help others understand how serious an issue is and how they should react to it."
One of the key objectives of the new resource is to better engage smaller healthcare organizations in cybersecurity information sharing activities - especially those that don't have "a sophisticated threat intelligence organization," Weiss points out.
In the interview (see audio link below photo), Weiss also discusses:
- The importance of cybersecurity information sharing related to medical devices;
- Lessons that the healthcare sector can learn from information sharing in the financial services sector;
- Planned updates to the new matrix, and other cybersecurity information sharing resources.
Weiss, the new CSO at the Health Information Sharing and Analysis Center, has more than 25 years of experience in information security. He worked at the National Security Agency, conducting vulnerability analyses and penetration tests of highly classified U.S. government systems. He also worked at consulting firms delivering information security services. At Citigroup, he created and ran the company's cyber intelligence center. Weiss also was a senior vice president with Bank of America's global information security team. During his time at Citi and Bank of America, Weiss was a user of FS-ISAC, which he helped launch. He also served on the FS-ISAC board of directors for six years.