Cyberintelligence experts, prominent infosec pros and an HHS official all agree – health org’s need to share information security information now.

Why hospitals should join an ISAC immediately

By Tom Sullivan
10:46 AM
hospitals should join an ISAC

BOSTON — The time has come for hospitals and health systems to participate in information sharing of some sort, if not the National Healthcare ISAC.

That is an overwhelming sentiment shared by several speakers at the Healthcare Security Forum here. One irrefutable reason?

“Hackers continue to collaborate, security professionals not so much,” said Michael Figueroa, Executive Director of the Advanced Cyber Security Center. “They might work in isolation physically, but hackers are some of the most collaborative security practitioners in the business today.”

Former Secretary of Homeland Security Tom Ridge said that one of the most important things America has done since the September 11, 2001, terrorist attacks is to encourage participations in information sharing and analysis centers and he pointed to financial services, which has 9,000 members, as a success story. Participants have access to the federal government’s information about malware, digital incursions and other security events.

Healthcare, on the other hand, has approximately 200 ISAC members. “I encourage you to become members of the ISAC,” Ridge said. “It’s absolutely essential.”

Phil Alexander, information security officer at UMC Health System, said that hospitals need a button they can push to get threat intelligence.

UMC, for its part, joins forces with the NIST working group and associations in Texas to, among other things, help rural agencies get what they need.

Alexander added that it’s not just the ISAC and the NIST framework; other options for security guidance and information sharing include HITRUST, FBI and other listservs, Infragard.

“If you’re not grabbing intelligence about our industry then you’re missing out,” Alexander said.

John Houston, vice president of security and associate counsel at UPMC said hospitals must have a framework.

“Whether it's HITRUST or NIST – it’s the discipline to execute on a strategy,” Houston said. “The tools help you be compliant, just don’t confuse compliance with security.

What’s more, since the Cybersecurity Information Sharing Act of 2015, the U.S. Department of Health and Human Services built the Health Cybersecurity and Communications Integration Center and aligned with other federal agencies. HHS CISO Christopher Wlaschin said that the HCCIC can help get the word out about cyber threat indicators.

“Our goal is that 80 percent of our cyber budget goes to identifying, preventing and detecting. I think it’s pretty insightful: stop the threat before it gets inside.” Wlaschin said. “If you’re not a member of HITRUST or NH-ISAC, I suggest you join.” 

Twitter: SullyHIT
Email the writer:

 Read our coverage of HIMSS Healthcare Security Forum in Boston.
⇒ Healthcare must move from risk to resilience, Tom Ridge says
⇒ Equifax hack: What cybersecurity pros are saying about the breach
⇒ Slow breach detection, patching, operational snags handcuff healthcare security
⇒ As hackers become more destructive, security needs an all-hands approach
⇒ Obama's cyber czar warns of 3 troubling security trends
⇒ Old legacy devices pose greatest security risk, experts say
⇒ HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity
⇒ 5 common HIPAA compliance pitfalls for healthcare orgs to avoid
⇒ FDA exec to medical device manufacturers: 'Bake security into the design’
⇒ 'Cybersecurity' term might be scaring off young talent
⇒ Cybersecurity is hard, got it? But let's stop blaming hospitals for every breach