HITRUST to bolster health cyber-security

Will form workgroup to assist with White House executive order
By Diana Manos
10:14 AM
The Health Information Trust Alliance

The Health Information Trust Alliance (HITRUST) announced this week that it will establish a new working group to support the White House Cybersecurity Executive Order.

The Executive Order, issued Feb. 12 by President Obama following his State of the Union address, warns that "the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront."

The policy orders, among other areas: cybersecurity information sharing between government and private industry entities; a baseline framework (the "Cybersecurity Framework") to reduce cyber risk leveraging existing industry frameworks and best practices; and identification of critical infrastructure at greatest risk. The policy also calls for sector-specific, voluntary programs to support the adoption of the Cybersecurity Framework.

Daniel Nutkis, chief executive officer of HITRUST told Healthcare IT News that the alliance has so far received some 170 applicants to participate in the workgroup, out of which HITRUST will select 25 to participate. The workgroup members will come from all types of stakeholders. Kevin Charest, chief information security officer, Department of Health and Human Services, has also signed on to participate.

According to HITRUST officials, the Cybersecurity Working Group will initially focus setting up a baseline framework to reduce cyber risk to critical infrastructure.

"This is really not a surprise,” Nutkis says. “We've been doing this for a long time.” The challenge now, he says, is the complexity, size, and diversity of cyber attacks, and how to get everyone engaged.

The healthcare industry recognized more than 18 months ago the potential impact of cyber attacks and intrusions, and the need for industry collaboration with regards to cyber threat intelligence and response, according to a HITRUST news release. Among other risk factors, the healthcare sector is vulnerable to disruption of information systems and medical devices directly responsible for patient care, as well as those involved in the manufacture and distribution of life sustaining medications and therapies.

It was also recognized that any model developed for responding to these threats would need to include effective and timely sharing of information with government. Since that time, HITRUST has worked with industry and government to create policies and systems that allow anonymity and privacy to ensure critical information is shared without liability concerns by the victim or submitting party, according to HITRUST. 

The result has been a very effective model for public-private collaboration between the healthcare industry and government. The industry is now working closely with government on its existing cybersecurity efforts, including active threat intelligence, information sharing and incident response through the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).

[See also: Securing the future.]

The HITRUST C3 has a cyber threat information sharing agreement with the Department of Health and Human Services and also participates in the Department of Homeland Security (DHS) Critical Infrastructure Sharing and Coordination Program.

"There is no doubt in my mind that the sharing of cyber threat information and coordinated incident response has benefited both industry and government," Nutkis said, in the news release. "Leaders in industry and government deserve credit for recognizing the importance of this effort, and working to establish and enhance a model through the HITRUST C3 for collaboration, information sharing and threat response."

"The Department of Health and Human Services has first-hand experience that collaboration with industry can provide value to both industry and government," said Kevin Charest, chief information security officer, Department of Health and Human Services. "Our active participation in the HITRUST C3 allows us to share important cyber threat information, interact in a trusted forum with other healthcare organizations, and receive similar information in return. We look forward to participating with industry in the HITRUST Cybersecurity Working Group on cybersecurity best practices."

"This is a call to action to the industry to be more engaged in ensuring we are doing everything practical to prepare for, and respond to, cyber threats," said Jon Moore, chief information security officer at Humana.

"While creating a model that allows for industry and government collaboration has been a challenge, this model is continuing to make progress and is a step in the right direction for healthcare," Moore added.

HITRUST officials say they believe the HITRUST Common Security Framework (CSF), the most widely adopted risk-based information protection framework used by healthcare organizations, is well aligned with the controls and best practices necessary to mitigate cybersecurity risks. However, HITRUST recognizes the need for the CSF to continue to evolve to address new technologies and threats.

[See also: mHealth privacy concerns loom large.]


Through the new working group, HITRUST is initiating a thorough review of each relevant control with consideration of cyber losses and risk factors. The outcome of this effort will include updates to the controls in the CSF and guidance on prioritizing implementation of these controls to reflect the associated cybersecurity risks.

A roundtable session to share findings and receive comments on the working group findings will convene alongside the HITRUST 2013 conference to be held May 20-22 in Dallas-Fort Worth.