Earlier this month, the U.S. Healthcare and Public Health Sector (HSCC) published an update to its guidance about cybersecurity information sharing. This new guide provides best practices for cyber threat information sharing so that healthcare organizations can properly disclose cyber threat issues and crowdsource cybersecurity expertise.
Why is information sharing important?
The cyber threat landscape evolves daily, and the need for organizations to reveal cybersecurity data becomes more and more vital. By communicating cyberattacks, as well as how they were or could be mitigated, organizations can improve their security, help fortify the industry, and create meaningful collaborations. HSCC’s original guidance focused on Information Sharing and Analysis Organizations ( ISAOs) and their role as governing bodies that ensure regulatory compliance. Established, health-based ISAOs include the Health Information Sharing and Analysis Center (H-ISAC) and Healthcare Ready. According to the chief security officer of H-ISAC and HSCC co-chair, Errol Weiss, “Information sharing programs, when done properly, produce significant benefit at low risk for the organizations that participate.” Such involvement, when done properly, offers organizations a trusted network to disclose, discuss, and offer recommendations, protecting themselves, employees, and patients, alike.
What are best practices and where is the best place to start?The latest HSCC guidance explores how healthcare organizations can effectively develop, implement, and maintain cyber threat sharing programs. Best practices advise healthcare organizations to:
- Start by developing a program before implementing it
- Identify goals and objectives of sharing
- Examine models for regulatory compliance
- Choose who to share information with (e.g., H-ISAC) and how
- Obtain internal and legal approvals
- Decide what can (and can’t) be disclosed as well as how to properly communicate.
Disclosed information must include more than the latest malware or threat actor; how the attack was made and how it was possibly blocked are imperative. SEE RELATED: HIPAA Compliant Email Possible third-party risks such as insider threats, regulatory issues, and foreign nationals, are also essential. The more information revealed about cybersecurity, the better equipped the industry becomes. And when done properly, a sharing program can shed light on cybersecurity strengths and weaknesses, ultimately, stopping threats before they do damage.