A program by healthcare industry consortium HITRUST that enables healthcare stakeholders to collect and share cyber threat information has real value, several information security professionals say.

But some point out that the Department of Homeland Security this year created the Cyber Information Sharing and Collaboration Program, which operates a free threat-sharing service called Automated Indicator Sharing, or AIS.

Some fear that having two separate security analysis initiatives may not result in reductions in cyber threats.

David Holtzman, vice president of compliance strategies at security vendor CynergisTek, worries it may be counterproductive to have the federal program as well as competing proprietary threat sharing programs. There’s a risk that the initiatives might value exclusivity of information over widespread information sharing, and that the separate initiatives could begin limiting distribution of reported vulnerabilities only to their subscribers.

HITRUST, while offering a basic free threat-sharing platform, also has a proprietary subscription-based platform for organizations that want to share data across defined partners who decide who has access and who does not. Some organizations adopt the subscription service just to share data within the organization, says Daniel Nutkis, CEO at HITRUST.

Whether HITRUST or other entities compete with the federal program is immaterial, Nutkis says. HITRUST is part of numerous Homeland Security programs and is committed to share indicators inside and outside of its client base.

“We still let contributing organizations decide who has access to their indicators, but encourage them to share,” he says. The additional services available under subscription include tools to ease integration and facilitate greater use of threat data, he adds.

Kerry McConnell, a principal consultant at security firm tw-Security, also contends that competition should not be an issue. “There is no question that timely collection and analysis of indicators of compromise and timely actionable feedback can be very valuable across the healthcare industry,” McConnell says. “With more active participants, the usefulness only grows.”

McConnell finds health-centric programs such as HITRUST appealing because they may offer more value to industry participants, but notes that most participants don’t rely on any single source of threat data.

Healthcare attorney Howard Burde at Howard Burde Health Law in Ardmore, Pa., says HITRUST adds important new tools to the prevention of and response to cyber threats.

“Hopefully, the lessons from the IOC Collection project will help the healthcare industry stay one step ahead of the current threats.”

Attorney Linn Freedman at the Robinson & Cole law firm says she believes that healthcare stakeholders need all the help they can get. Banking and financial sectors have been sharing threat data among themselves for years, and it’s time healthcare got involved in such information sharing.

“We have recently seen how important it has been for healthcare entities to share with each other their experiences with ransomware, so others can prepare for the attacks and learn how to react to them and mitigate the damage,” Freedman says.

“Having real incident experience is such a powerful learning tool for others,” she adds. “We are all combatting these intrusions together, and if we can share and learn from each other, we will have a better comprehensive defense as an industry against these threats. I am a real fan of sharing individual experiences to help the whole.”

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access