NH-ISAC Offers Cyber-Intelligence ToolAims to Bolster Threat Information Sharing
The National Health Information Sharing & Analysis Center is making available for free to its members a new intelligence platform that aims to help ease cyberthreat information sharing.
The introduction of the new NH-ISAC Threat Intelligence Platform comes as another healthcare industry organization, the Health Information Trust Alliance, is also gearing up to release a previously announced cyber-alert system for the sector in January (see HITRUST Piloting Threat Warning System).
NH-ISAC says its platform uses technology from security vendors Soltra Solutions and Vorstack, and leverages standards such as Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information, or TAXII.
The platform enables NH-ISAC and its members to communicate back and forth about threats information, and also enables members to share threat information with each other, says NH-ISAC Executive Director Deborah Kobza.
"We expect this platform will provide our members with greater and earlier insight into new attack patterns, whether it is social engineering, spear phishing, or malware," Kobza explains. Looking ahead to 2015, "we expect the attack vectors to evolve and become increasingly targeted in an effort to extract information, so it is necessary to use tools which allow you to identify incidents quicker and with the higher level of confidence that comes from shared threat intelligence," she says.
NH-ISAC Chairman Jim Routh, who is CISO at health insurer Aetna, says the NH-ISAC cyber intelligence platform is based on a healthcare-specific version of Soltra Edge, which is being promoted by the Financial Services ISAC, of which Routh is also a member. What makes the NH-ISAC offering different is that it also uses technology from Vorstack, enabling NH-ISAC members to share threat intelligence and indicators directly with each other from their security information and event management, or SIEM, systems.
NH-ISAC is leveraging its version of Soltra Edge in the cloud, providing STIX/TAXII-based intelligence feeds to NH-ISAC members, Kobza explains. "Our Soltra Edge [version] will be populated on an ongoing basis with a wide variety of threat intelligence we believe will be of value to members of the healthcare community."
Additionally, Vorstack is providing technology that NH-ISAC members can use to automatically accept threat information feeds, as well as facilitate the sharing of threat indicators with other members, she says.
Information Sharing Hurdles
NH-ISAC's new cyber intelligence platform aims to help make information sharing among members of the healthcare sector more efficient, Kobza says.
"Today, information sharing is either a highly manual effort or you have to offer your information up to a third party who then distributes it, presumably on your behalf," Kobza says. "The platform we are providing our members allows them to automate their cybersecurity information sharing leveraging structured formats compliant to STIX and TAXII. Members can leverage the intelligence according to their security policies and with peers, per their authority and designation."
NH-ISAC members also will be able to leverage their own SIEM platforms through the Vorstack technology to determine if any threat indicators exist within their information security environment, she adds.
The organization has about 148 members, including large hospital systems and pharmaceutical firms, Routh says.
"We need to be doing more to work together to share information that can improve the overall resiliency of the healthcare sector, particularly as the threats themselves continue to evolve," Kobza says. "It's our belief that this platform will allow members to both easily consume threat intelligence as well as provide a secure platform to exchange identified threat indicators among their peers."
The NH-ISAC platform is similar in some ways to a new early warning system that will become available in January from , called HITRUST Cyber Threat XChange, or CTX. However, while NH-ISAC's platform is offered only to its members, the HITRUST CTX will be available, for a fee, to any organization in the healthcare sector.
Daniel Nutkis, CEO of HITRUST, says NH-ISAC's cyber intelligence platform generally sounds "more focused on information sharing," while the HITRUST CTX aims to use intelligence from "known contributors" and sensors, then disseminate analyzed threat intelligence to other healthcare sector organizations so that it's "automatically consumable and actionable in an efficiently and expedited way."
HITRUST is working with about 10 major SIEM vendors to incorporate CTX alert information in standardized format into their systems for actionable response, he says.
When it comes to healthcare sector intelligence sharing, HITRUST has found that only about 4 percent of organizations are "contributors" while the other 96 percent are "consumers," Nutkis says. That's mainly because the large majority of healthcare organizations simply do not have resources or the information security program maturity level needed to analyze and share threat information that comes into their environments, Nutkis says.
HITRUST also offers daily, weekly and monthly threat briefings through its HITRUST C3, a cyberthreat intelligence and incident coordination center, as well as in text communications that need to be imported into security monitoring systems.
Curt Kwak, CIO at Proliance Surgeons, a surgical practice based in Seattle, Wash., says cyberthreat intelligence sharing in healthcare "should be an extremely high priority item because the cost implications in healthcare breach is significant."
Kwak, who until June was CIO of the Washington state health insurance exchange under the Affordable Care Act, notes: "I don't think there's a silver bullet to cyberthreat mitigation other than staying alert, stay ahead of the trend curve and continue to solidify your perimeter with processes and technologies."
The key to improving overall healthcare sector cyber-intelligence sharing, Kwak says, is "continued effort toward industry standards and streamlining the way we do things, and also the way infrastructures are architected with the most up to date technologies and know-how would be the key."