How Health Sector Organizations Share Cybersecurity

With the growing amount of data that organizations must process on a daily basis, cybersecurity has become a top concern. Current cyber threats are becoming more sophisticated, complex, and widespread. In particular, organizations in the health sector are faced with a larger volume of attempted cybersecurity breaches. This is due to the high value of healthcare information as compared to other types of data under threat and also the necessity for operations to remain up and running for patient safety.

Achieving optimum cyber resiliency is an ongoing and comprehensive process that involves a certain level of information sharing. Sharing of information across organizations is an easy, cost effective way to understand the threats that are present and provide situational awareness to stakeholders on current tactics, techniques and procedures that are being used by threat actors against the industry.

Defining Information Sharing in the Context of Risk Mitigation

To truly understand how information sharing can mitigate risk, it is first important to understand what the process involves. According to the president and CEO of Health Information Sharing and Analysis Center (H-ISAC, Inc.) Denise Anderson, “through sharing, one organization’s defense becomes every other organization’s offense.”

For those in the health sector unsure about what information sharing entails, it is important to realize what is and is not shared. Information sharing for cybersecurity shares only the malicious threat information, not results of a breach or impact of a threat that has taken place. It is also important to note that sharing within an ISAC community can be done anonymously, if desired.

As the sector continues to leverage technology in order to innovate and improve service delivery, information sharing can enable participating organizations to always remain prepared in the event that a threat occurs.

 Why Information Sharing is Effective

Information sharing can be defined in simpler terms as safety in numbers. Josh Singletary, H-ISAC Chief Information Officer, compares information sharing to spreading information regarding a bank robbery. “If a bank is robbed, the description of the assailants and their techniques are shared to help prevent the same or similar criminals from completing the same crime elsewhere,” says Singletary. “Likewise, when an attack seen by one within the H-ISAC community is shared, the others in the community can benefit by updating behaviors or safeguards.”

Indeed, information sharing in the cybersecurity field is a similar scenario, except that it is mostly digital and occurs at a rapid pace. Because vulnerabilities can be discovered and exploited within hours and because viruses, ransomware and business email compromise can evolve quickly, an organization cannot effectively block all threats alone. It helps tremendously to share your threats and to see those threats others are sharing. “Just having a single member share what they are seeing on their networks allows all other H-ISAC members to implement protocols to seek out and mitigate those threats,” says Singletary.

Another reason for the effectiveness of information sharing within the H-ISAC community is the ability of participants to ask questions to others who are willing to share their expertise. Members ask each other anything from feedback on different security tools and the best ways to implement them to policy and procedures on many different aspects of security. This type of sharing benefits the collective health sector. Information sharing enables companies to expeditiously leverage resources from multiple sources.

Sharing Big Data

The primary challenge for companies lies in developing a framework for rapidly receiving and responding to actionable data. Because a newly emergent threat can spread in just a matter of minutes, data sharing should be carried out quickly to always ensure that organizations are best prepared.

Information sharing for cybersecurity can take place in multiple ways. In many cases, ISACs serve as hub and spoke models for sharing. According to Anderson, “Not only do we have human-to-human sharing that provides context, analysis and direction but machine-to-machine sharing also enables analysts to cut through the ‘noise’ and focus on real threats by capturing anomalies.”

For the healthcare sector, H-ISAC offers this centralized hub for trusted sharing. The large amounts of information that organizations can harvest through logs and Security Information Event Management Systems (SIEMS) enriches the data set, increases awareness and aids in both detection and response. Organizations are able to rapidly take this information into their data environment and add to it their own data and then return this enriched data to the shared threat stream. This is a continual process that is constantly being filtered and enriched by the sharing community.

Examples of Information Sharing Mitigation

Information sharing is a great way to build trust relationships so that when an attack happens the community can help each other out by sharing mitigation strategies. When cybersecurity professional from various healthcare organizations trust each other enough to work together in the case of an impending attack, much can be accomplished quickly.

During the WannaCry and Petya attacks in 2017, Anderson explains how “over 60 analysts at various H-ISAC member organizations came together and in a very short period of time, were able to sort ‘fake news’ reported by open sources from ground truth. They worked together to quickly determine the attack vector, how the attacks spread across networks/organizations and then in the case of Petya, developed a ‘vaccine’ to stop the spread.” This information was shared with members, partners and with the public so that all could benefit and protect themselves.

Anderson refers to this collective incident response as “truly a ground-breaking team effort and a tremendous example of community sharing” to mitigate a severe threat.

How H-ISAC Pushes the Information Sharing Envelope

H-ISAC is playing a key role in facilitating information sharing in the healthcare space. The body is particularly playing an important role in improving big data analysis and machine data sharing. According to Anderson, there are two main ways through which this goal is being achieved. First is through the SOLTRA EDGE platform, and secondly through PERCH.

The SOLTRA EDGE platform shares data at machine speed via the use of the STIIX format and TAXII protocols. PERCH takes things a step further by synthesizing data, identifying anomalies, and sharing this information back with the community. Says Anderson, “We believe Perch will revolutionize the industry by making information sharing easy, effective and community driven.”

Effective information sharing involves a give and take which benefits the entire community. Singletary adds that “without the legal or physical ability to connect all of our computers together to prevent a threat, the best option is sharing through H-ISAC.”

Future Strategies for Information Sharing

H-ISAC is constantly striving to build the community of networking relationships and infrastructure to enhance and expand information sharing. Anderson mentions how future strategies for information sharing will be important for “ultimately feeding situational awareness so that all critical services are protected and resilient.”

In the future, data that is shared will be more specific, easier to share, and easier to develop actionable responses. “Our goal is to reach broadly across the Healthcare and Public Health sector as well as all critical infrastructure globally to accomplish this. Cybersecurity is a global problem,” states Anderson, “and we should all be working together to create an army of the good to win against the army of the bad. The more robust we can make the community, the more ammunition we have.” To learn more or become part of the sharing, go to https://h-isac.org or email contact@h-isac.org.