The Health Information Trust Alliance (HITRUST) announced this week that it will establish a new working group to support the White House Cybersecurity Executive Order.
The Executive Order, issued Feb. 12 by President Obama following his State of the Union address, warns that "the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."
The policy orders, among other areas: cybersecurity information sharing between government and private industry entities; a baseline framework (the "Cybersecurity Framework") to reduce cyber risk leveraging existing industry frameworks and best practices; and identification of critical infrastructure at greatest risk. The policy also calls for sector-specific, voluntary programs to support the adoption of the Cybersecurity Framework.
Daniel Nutkis, chief executive officer of HITRUST told Healthcare IT News that the alliance has so far received some 170 applicants to participate in the workgroup, out of which HITRUST will select 25 to participate. The workgroup members will come from all types of stakeholders. Kevin Charest, chief information security officer, Department of Health and Human Services, has also signed on to participate.
According to HITRUST officials, the Cybersecurity Working Group will initially focus setting up a baseline framework to reduce cyber risk to critical infrastructure.
"This is really not a surprise,” Nutkis says. “We've been doing this for a long time.” The challenge now, he says, is the complexity, size, and diversity of cyber attacks, and how to get everyone engaged.
The healthcare industry recognized more than 18 months ago the potential impact of cyber attacks and intrusions, and the need for industry collaboration with regards to cyber threat intelligence and response, according to a HITRUST news release. Among other risk factors, the healthcare sector is vulnerable to disruption of information systems and medical devices directly responsible for patient care, as well as those involved in the manufacture and distribution of life sustaining medications and therapies.
It was also recognized that any model developed for responding to these threats would need to include effective and timely sharing of information with government. Since that time, HITRUST has worked with industry and government to create policies and systems that allow anonymity and privacy to ensure critical information is shared without liability concerns by the victim or submitting party, according to HITRUST.
The result has been a very effective model for public-private collaboration between the healthcare industry and government. The industry is now working closely with government on its existing cybersecurity efforts, including active threat intelligence, information sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).
[See also: Securing the future.]
The HITRUST C3 has a cyber threat information sharing agreement with the Department of Health and Human Services and also participates in the Department of Homeland Security (DHS) Critical Infrastructure Sharing and Coordination Program.