Barack Obama President United States of America

The Health Information Trust Alliance (HITRUST) has announced the establishment of a new working group to support the White House Cybersecurity Executive Order. Issued on February 12 by President Obama following his State of the Union address, the policy warns that “the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

“While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare.”

The policy orders, among other areas: cybersecurity information sharing between government and private industry entities; a baseline framework (the “Cybersecurity Framework”) to reduce cyber risk leveraging existing industry frameworks and best practices; and identification of critical infrastructure at greatest risk. The policy also calls for sector-specific, voluntary programs to support the adoption of the Cybersecurity Framework.

The HITRUST Cybersecurity Working Group will initially focus on the following deliverable from the Cybersecurity Executive Order:

Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
“The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks”.. “and shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” (Sec. 7)

The healthcare industry recognized more than 18 months ago the potential impact of cyber attacks and intrusions, and the need for industry collaboration with regards to cyber threat intelligence and response. Among other risk factors, the healthcare sector is vulnerable to disruption of information systems and medical devices directly responsible for patient care, as well as those involved in the manufacture and distribution of life sustaining medications and therapies.

It was also recognized that any model developed for responding to these threats would need to include effective and timely sharing of information with government. Since that time, HITRUST has worked with industry and government to create policies and systems that allow anonymity and privacy to ensure critical information is shared without liability concerns by the victim or submitting party.

The result has been a very effective model for public-private collaboration between the healthcare industry and government. The industry is now working closely with government on its existing cybersecurity efforts, including active threat intelligence, information sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).

The HITRUST C3 has a cyber threat information sharing agreement with the Department of Health and Human Services and also participates in the Department of Homeland Security (DHS) Critical Infrastructure Sharing and Coordination Program.

“There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government,” said Daniel Nutkis, chief executive officer, HITRUST. “Leaders in industry and government deserve credit for recognizing the importance of this effort, and working to establish and enhance a model through the HITRUST C3 for collaboration, information sharing and threat response.”

"The Department of Health and Human Services has first-hand experience that collaboration with industry can provide value to both industry and government,” said Kevin Charest, chief information security officer, Department of Health and Human Services. “Our active participation in the HITRUST C3 allows us to share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return. We look forward to participating with industry in the HITRUST Cybersecurity Working Group on cybersecurity best practices.”

“This is a call to action to the industry to be more engaged in ensuring we are doing everything practical to prepare for, and respond to, cyber threats,” said Jon Moore, chief information security officer, Humana. “While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare.”

HITRUST believes the HITRUST Common Security Framework (CSF), the most widely adopted risk-based information protection framework used by healthcare organizations, is well aligned with the controls and best practices necessary to mitigate cybersecurity risks. However, HITRUST recognizes the need for the CSF to continue to evolve to address new technologies and threats. Through the new working group, HITRUST is initiating a thorough review of each relevant control with consideration of cyber losses and risk factors. The outcome of this effort will include updates to the controls in the CSF and guidance on prioritizing implementation of these controls to reflect the associated cybersecurity risks.

A roundtable session to share findings and receive comments on the working group findings will convene alongside the HITRUST 2013 conference to be held May 20-22, 2013, in Dallas-Fort Worth.

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities.