“We found in almost every case the companies that had a data breach incident are not members of Health-ISAC”


LinkedIn article published on May 10, 2020 by Errol Weiss, H-ISAC Chief Security Officer


Some call it the wall of shame – the U.S. Government website that lists healthcare industry data breaches over the past 10+ years – breaches which have put millions of patients’ Protected Health Information (PHI) at risk. The site, run by the Department of Health and Human Services Office for Civil Rights (OCR), reports breaches affecting the PHI of 500 or more individuals. When Health-ISAC’s Threat Operations Center reviewed the data on May 7, 2020, the site listed 2,673 events totaling over 205 million breached PHI records. That averages to more than 50,000 PHI records exposed every single day for the past 10 ½ years.

When we looked at the site, we found in almost every case, the companies that had a data breach incident – nearly 96% – are not members of Health-ISAC. I believe this is no coincidence. What this tells me is that Health-ISAC members take the security of their patient information seriously, by investing in information security programs and implementing effective cyber security protections. Being a member of the Health-ISAC is further evidence that a company is making the investments to protect PHI.


Benefits of Health-ISAC Information Sharing and Collaboration

Health-ISAC members collaborate with their peers and actively share information about current attacks and countermeasures used to thwart cyber enemies. Health-ISAC members share best practices that help keep their organizations secure. Let’s face it, cyber security budgets and knowledgeable cyber security staff are in limited supply. Every day I watch how organizations tap into the community pool of experts across the Health-ISAC membership to stay on top of new threats before they hit their own environments. Health-ISAC members help each other become more resilient against the cyber (and even physical) threats they face by quickly sharing actionable threat intelligence and implementing innovative solutions in an ever-changing technology and regulatory environment. I witness first-hand how Health-ISAC members learn from each other as they share solutions related to sector challenges, standards, and best practices needed to sustain patient care information.


The Imperative of Public Health and Safety

The ISAC isn’t just a ‘nice-to-have’. It is an imperative, our responsibility, as healthcare organizations to belong to the Health-ISAC. Healthcare is one of 17 federally-designated national critical infrastructures in the United States, recognized under multiple presidential executive orders since 1998, that point to the ISACs as the nation’s defense against systemic threats like cyber attack and natural disasters. We therefore have a collective responsibility to collaborate toward strengthening the security and resiliency of the health system, for the imperative of public health and safety.




So, just to sum up these points, I see Health-ISAC members taking advantage:


  • – Improved Security Posture through Shared Situational Awareness
  • – Crowdsourced Cyber Security Expertise
  • – Heightened Community Trust and Resilience
  • – Improved Cyber Security Innovation
  • – Patient safety

Feedback and thoughts are welcomed on this topic.

Link to article on LinkedIn:



Link to OCR Breach Portal:

Translate »