Health industry responding to info-sharing imperative

Less than two weeks after hackers stole personal data belonging to more than 80 million Anthem Inc. customers — one of the largest data breaches to ever hit the health care industry — the companies that make up the industry’s two main information sharing and analysis centers are beginning to take steps to improve their ability to get actionable and timely cyber intelligence into the hands of those who need it.

The Health Information Trust Alliance, known as HITRUST, which was criticized for limiting its initial Anthem hack risk assessment to its own member companies and for not issuing an industrywide alert, announced Monday it is beefing up the content and enhancing the format of its free threat briefings.

The briefings and analysis contained in the HITRUST Cyber Threat XChange (CTX), will now focus more on emerging threats, threat actors, motives, methods, lessons learned and the HITRUST-developed common security framework controls most affected by recent cyber threats. The revised format will include direct links to detailed threat indicators and additional analysis, according to a HITRUST statement released Monday.

“In addition, each month the briefings will provide a more detailed analysis of a different threat actor observed targeting the health care sector as well as the effectiveness of information security products during the previous period,” the industry group said. “This revised format provides health care organizations with more meaningful and actionable information on current and probable cyber threats, information security defenses and best practices for cyber threat defense and response.”

These changes come on the heels of the Anthem hack, which raised significant questions about information sharing standards throughout the large number of information sharing and analysis organizations, such as HITRUST, that have popped up throughout the private sector.

While the government’s officially recognized National Health Information Sharing and Analysis Center sent out its first alert on the Anthem hack containing an initial list of indicators of compromise within 12 hours of the breach becoming public, HITRUST limited its assessment to its own member companies and decided an industrywide alert was not necessary.

Meanwhile, the new cybersecurity information sharing executive order signed Friday by President Barack Obama underscores the role of the officially recognized Information Sharing and Analysis Centers, or ISACs, and tasks the Department of Homeland Security with devising methods of sharing sensitive or classified threat indicator information with industry through these ISACs and other so-called Information Sharing and Analysis Organizations, or ISAOs.

NH-ISAC officials, however, said the new executive order holds the promise of improving information sharing throughout and within the industry, particularly with independent ISAOs.

“We agree that this announcement will strengthen the ISACs’ role as the lead organization for sector-specific information sharing and also encourages ISAOs to work with their respective ISACs to improve information sharing for the constituencies they serve,” NH-ISAC Board Member Jeannie Larson said.

In addition, the executive order now tasks DHS with developing a baseline of voluntary security standards for data-sharing organizations. This will increase the trust levels between intelligence entities and potential private sector members, as well as speed the collaboration between data-sharing entities.

“We are thrilled the executive order recognizes the foundational role we have played in information sharing,” NH-ISAC Executive Director Deborah Kobza said. “We look forward to being part of a larger network of ISAO’s facilitated by standardized cybersecurity information interaction with DHS.”

The NH-ISAC was able to use its National Health Cybersecurity Intelligence System to provide automated access to security intelligence and alert advisories. Many of NH-ISAC’s members reported back whether they had seen the IOCs in their environments, which helped NH-ISAC determine if the Anthem breach was a broader attack against the health sector.

Key to this automated information sharing was an open source platform deployed in January by the NH-ISAC known as Soltra Edge. The platform enabled real-time sharing on a machine-to-machine basis of compromise indicators, Kobza told FedScoop.

Developed initially by the Financial Services ISAC, Soltra Edge is a software platform that collects massive amounts of cyber threat data and converts it to industry standard data formats, including the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII), for real-time exchange and sharing.

The pilot program was so successful for the financial industry that the health care sector was chosen as the next industry ISAC to deploy it. The NH-ISAC completed deployment in January, Kobza said.