Healthcare Industry Now Sharing Attack Intelligence

  /     /     /  
Publicated : 22/11/2024   Category : security


Healthcare Industry Now Sharing Attack Intelligence


New HITRUST Cybersecurity Incident Response and Coordination Center lets healthcare organizations, U.S. Department of Health and Human Services swap information, forensics from firsthand attack experiences, other threats



Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry.
The
Health Information Trust Alliance (HITRUST)
today announced the launch of the new HITRUST Cybersecurity Incident Response and Coordination Center as a go-to online community for helping spot cybersecurity attacks against healthcare organizations and coordinating incident response to threats and attacks. We [all] started to see, eight to 12 months ago, an uptick in more focused attacks or attempts against healthcare systems coming from around the world, says Roy Mellinger, CISO at WellPoint, one of the 15 founding participants in the new cybercoordination center. We needed something to help us protect our data, so the center is a crucial resource, according to Mellinger.
Attacks against healthcare organizations are becoming more targeted and focused, he says. And the bad guys are going after Web portals and healthcare applications as their point of entry, he says, rather than their previous M.O. of hitting the perimeter. Weve seen a change in tactics, and it has us responding, Mellinger says.
Healthcare is one of several industries now to have its own intel-sharing mechanisms to help combat cybercrime and cyberespionage. The financial services and Defense industrial base have been doing so for some time, and there are regional approaches, such as the FBI-led InfraGuard association of local businesses, academic institutions, and state and local law enforcement agencies that share attack and threat information.
Data breaches in healthcare jumped more than 30 percent last year and could be costing the industry an average of $6.5 billion a year, according to
a recent Ponemon Institute study
. Hospitals and healthcare providers suffered an average of four data breaches in the past year, the report found, and employee error was one of the main reasons for breaches. The increase in breaches may in part be due to better detection capabilities, however, noted Larry Ponemon, chairman and founder of the Ponemon Institute.
Another recent study of small healthcare practices by Ponemon was even more disturbing: Ninety-one percent of small healthcare providers in North America with 250 or fewer employees said they had suffered a breach in the past 12 months.
There are certain types of attacks targeting healthcare, be it a childrens hospital that has a set of new and fresh SSNs, or health plans with electronic payments, says Dan Nutkis, CEO at HITRUST, a healthcare industry group that also offers a framework for the creation, access, storage, and exchange of personal health and financial information. So [at first] we decided we would informally facilitate collaboration, but we found it very complicated. Very few organizations in the whole industry have the skill set to know what to do with the information, such as indicators of compromise, he says.
Nutkis says it made more sense to focus on early warning efforts for large healthcare organizations, and then that information ultimately can be massaged and packaged for smaller healthcare groups as well. So with help from HHS, HITRUST built the new portal that helps organize intelligence and threat information among participants.
HHS is among the 15 healthcare organizations currently sharing security incident information, as are UnitedHealth Group, Baylor Health Care System, Dignity Health, and Humana. The information-sharing tools in the portal allow the agency and the companies to share that information confidentially and anonymously.
[Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive. See
Victim Businesses Teaming Up To Fight Cybercriminals
.]
While threat intel-sharing is a major goal for many organizations today to work more as a team to fight cybercrime, collaboration isnt so simple. Human trust is a fundamental prerequisite to enable the exchange of threat intelligence information. And it does not scale well, notes Jacques Francoeur, chair of the Bay Area Council Threat Intelligence Sharing Committee.
There also are major technology challenges, as well as what to do with the intelligence you get from your counterparts, he says. There are technology issues related to how you structure threat indicators, deidentify the source, share them in an automated manner, and control the usage and access of the data. There are issues of trust related to the source of the information and, until that is in place, receivers of information will be reluctant to redirect resources based on that information. There are large differences in the maturity of different organizations to even understand how to leverage to the information, Francoeur says.
For example, how does near real-time threat and capability intelligence change an organizations security strategy? Is it prepared to dynamically adapt and redirect security resources based on this intelligence? he says. It is not only about how to collect and share the information; it is what to do with it once you have it.
Kevin Charest, director and program manager at HHSs incident response center, says HHS is providing nonclassified attack information, such as indicators of compromise for specific attack campaigns. Its kind of outreach and information-sharing, Charest says. If weve developed an IOC around a particular set of intrusions, we can say, Heres some [threats] to point your tools at.
The hope is that this intelligence gathered and coordinated among the big healthcare organizations will ultimately trickle down to small practices that dont have the resources and expertise. The larger organizations do touch a large percent of the market, so you have that kind of trickle-down, Charest says.
NEXT PAGE: Not all healthcare attacks will get reported, however
HITRUSTs Nutkis says the new healthcare intel-sharing portal is basically a centralized vehicle for information dissemination, and includes information from outside sources, such as US-CERT. He says he doesnt expect participants to report each and every incident they experience, however.
We dont anticipate all incidents will be reported to us. Some internal events dont support huge collaboration, he says. The center will not only alert participating healthcare organizations of threats and attacks, but also help with coordinating response and best practices.
The center will also provide threat information to the healthcare industry overall.
What makes healthcare unique when it comes to threats is that there are so many interactions among various healthcare organizations, plus there are so many points of entry for a breach. Most individuals only bank with one or two banking entities ... but in healthcare, you go to primary providers, dentists, specialists, eye doctors, and pharmacies: Its a one-to-many relationship, WellPoints Mellinger says. And each of these needs to exchange information with additional parties, doctors with hospitals and X-rays, MRIs, and payers.
That data flow is unique, and with it does come some risk of that data somewhere along the way being compromised, experts say.
Meantime, WellPoint is using the intel it gathers from other healthcare providers to update its sensors and other defenses to deflect the latest attacks, according to Mellinger. We can share IP addresses where the origination or source of an attack may come from and share our forensic results in a redacted and sanitized form, he says.
And healthcare organizations can also collaborate one-on-one if they need to drill down for more specifics about an attack, for example, he says. If I have a colleague with a similar problem and we cooperate [offline], it can benefit both of us, Mellinger says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Healthcare Industry Now Sharing Attack Intelligence