Healthcare Industry Now Sharing Attack Intelligence

New HITRUST Cybersecurity Incident Response and Coordination Center lets healthcare organizations, U.S. Department of Health and Human Services swap information, forensics from firsthand attack experiences, other threats

Dark Reading logo in a gray background | Dark Reading

Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry.

The Health Information Trust Alliance (HITRUST) today announced the launch of the new HITRUST Cybersecurity Incident Response and Coordination Center as a go-to online community for helping spot cybersecurity attacks against healthcare organizations and coordinating incident response to threats and attacks. "We [all] started to see, eight to 12 months ago, an uptick in more focused attacks or attempts against healthcare systems coming from around the world," says Roy Mellinger, CISO at WellPoint, one of the 15 founding participants in the new cybercoordination center. "We needed something to help us protect" our data, so the center is a crucial resource, according to Mellinger.

Attacks against healthcare organizations are becoming more targeted and focused, he says. And the bad guys are going after Web portals and healthcare applications as their point of entry, he says, rather than their previous M.O. of hitting the perimeter. "We've seen a change in tactics, and it has us responding," Mellinger says.

Healthcare is one of several industries now to have its own intel-sharing mechanisms to help combat cybercrime and cyberespionage. The financial services and Defense industrial base have been doing so for some time, and there are regional approaches, such as the FBI-led InfraGuard association of local businesses, academic institutions, and state and local law enforcement agencies that share attack and threat information.

Data breaches in healthcare jumped more than 30 percent last year and could be costing the industry an average of $6.5 billion a year, according to a recent Ponemon Institute study. Hospitals and healthcare providers suffered an average of four data breaches in the past year, the report found, and employee error was one of the main reasons for breaches. The increase in breaches may in part be due to better detection capabilities, however, noted Larry Ponemon, chairman and founder of the Ponemon Institute.

Another recent study of small healthcare practices by Ponemon was even more disturbing: Ninety-one percent of small healthcare providers in North America with 250 or fewer employees said they had suffered a breach in the past 12 months.

"There are certain types of attacks targeting healthcare, be it a children's hospital that has a set of new and fresh SSNs, or health plans with electronic payments," says Dan Nutkis, CEO at HITRUST, a healthcare industry group that also offers a framework for the creation, access, storage, and exchange of personal health and financial information. "So [at first] we decided we would informally facilitate collaboration, but we found it very complicated. Very few organizations in the whole industry have the skill set to know what to do with the information," such as indicators of compromise, he says.

Nutkis says it made more sense to focus on early warning efforts for large healthcare organizations, and then that information ultimately can be massaged and packaged for smaller healthcare groups as well. So with help from HHS, HITRUST built the new portal that helps organize intelligence and threat information among participants.

HHS is among the 15 healthcare organizations currently sharing security incident information, as are UnitedHealth Group, Baylor Health Care System, Dignity Health, and Humana. The information-sharing tools in the portal allow the agency and the companies to share that information confidentially and anonymously.

[Major global businesses are calling for better intelligence- and information-sharing among themselves and other organizations hit by cyberattacks in order to better fend off the bad guys and protect themselves from breaches, but a universal model for doing so remains elusive. See Victim Businesses Teaming Up To Fight Cybercriminals.]

While threat intel-sharing is a major goal for many organizations today to work more as a team to fight cybercrime, collaboration isn't so simple. "Human trust is a fundamental prerequisite to enable the exchange of threat intelligence information. And it does not scale well," notes Jacques Francoeur, chair of the Bay Area Council Threat Intelligence Sharing Committee.

There also are major technology challenges, as well as what to do with the intelligence you get from your counterparts, he says. "There are technology issues related to how you structure threat indicators, deidentify the source, share them in an automated manner, and control the usage and access of the data. There are issues of trust related to the source of the information and, until that is in place, receivers of information will be reluctant to redirect resources based on that information. There are large differences in the maturity of different organizations to even understand how to leverage to the information," Francoeur says.

"For example, how does near real-time threat and capability intelligence change an organization's security strategy? Is it prepared to dynamically adapt and redirect security resources based on this intelligence?" he says. "It is not only about how to collect and share the information; it is what to do with it once you have it."

Kevin Charest, director and program manager at HHS's incident response center, says HHS is providing nonclassified attack information, such as indicators of compromise for specific attack campaigns. "It's kind of outreach and information-sharing," Charest says. "If we've developed an IOC around a particular set of intrusions, we can say, 'Here's some [threats] to point your tools at.'"

The hope is that this intelligence gathered and coordinated among the big healthcare organizations will ultimately trickle down to small practices that don't have the resources and expertise. "The larger organizations do touch a large percent of the market, so you have that kind of trickle-down," Charest says.

NEXT PAGE: Not all healthcare attacks will get reported, however HITRUST's Nutkis says the new healthcare intel-sharing portal is basically a centralized vehicle for information dissemination, and includes information from outside sources, such as US-CERT. He says he doesn't expect participants to report each and every incident they experience, however.

"We don't anticipate all incidents will be reported to us. Some internal events don't support huge collaboration," he says. The center will not only alert participating healthcare organizations of threats and attacks, but also help with coordinating response and best practices.

The center will also provide threat information to the healthcare industry overall.

What makes healthcare unique when it comes to threats is that there are so many interactions among various healthcare organizations, plus there are so many points of entry for a breach. "Most individuals only bank with one or two banking entities ... but in healthcare, you go to primary providers, dentists, specialists, eye doctors, and pharmacies: It's a one-to-many relationship," WellPoint's Mellinger says. "And each of these needs to exchange information with additional parties, doctors with hospitals and X-rays, MRIs, and payers."

That data flow is unique, and with it does come some risk of that data somewhere along the way being compromised, experts say.

Meantime, WellPoint is using the intel it gathers from other healthcare providers to update its sensors and other defenses to deflect the latest attacks, according to Mellinger. "We can share IP addresses where the origination or source of an attack may come from and share our forensic results" in a redacted and sanitized form, he says.

And healthcare organizations can also collaborate one-on-one if they need to drill down for more specifics about an attack, for example, he says. "If I have a colleague with a similar problem and we cooperate [offline], it can benefit both of us," Mellinger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights