HITRUST Launches Cyber Defense Platform for Health Care

The Health Information Trust Alliance has launched a service that enables an exchange of intelligence on cyber-threats facing the health care industry.

The Health Information Trust Alliance (HITRUST), a group of health care business technology and information security leaders, has launched the Cyber Threat Analysis Service (C-TAS) to provide intelligence on computer network threats facing the health care industry.

HITRUST aims to protect electronic health records (EHRs) and medical devices from suspicious online activity by promoting collaboration among IT leaders, government officials and health care providers. It also offers education about risk-management practices to health care providers.

"Health care security professionals will receive written updates that describe the motivation, intent and capability of the adversary responsible for a cyber-threat," Daniel Nutkis, CEO of HITRUST, told eWEEK in an email. "This provides context needed to assess the likelihood of an impact to their own organization."

For C-TAS, HITRUST is partnering with iSight Partners, a firm that offers global cyber-intelligence to federal, state and local government organizations.

"Cyber-threats targeting the health care sector are very unique, and it's important to craft sector-specific threat intelligence capabilities and products," John Watters, CEO of iSight, said in a statement.

The service consists of a platform that offers vulnerability reporting and research on best practices for security officers and investigators.

HITRUST will share information about threats without "attribution," or mentioning the organization that detected the threat, according to Nutkis.

"When a health care organization finds a threat in their enterprise, they will share that threat information with HITRUST, and HITRUST will send an update to all organizations but will not mention the original organization that initially detected the threat," he said.

Launched on July 24, C-TAS is part of the Cybersecurity Incident Response and Coordination Center, which HITRUST established on April 24 to provide early detection, remediation and threat alerts to the health care industry.

Health care organizations generally are unable to afford their own threat centers, according to HITRUST. But they need a high level of protection because their IT systems store personal health information and consumer data as well as intellectual property and trade secrets, HITRUST noted.

The Departments of Health and Human Services, Veteran Affairs and Homeland Security (DHS) participate in HITRUST. On May 4, DHS issued a report on how medical devices that connect to IT networks may pose a threat to security.

Health IT company McKesson and insurer WellPoint are also involved in HITRUST, along with other participants from pharmaceutical distributors and manufacturers.

"The level of collaboration we are experiencing across the health care industry and with government agencies, EHR vendors and medical device manufacturers is unprecedented and reflects the importance to the industry," said Nutkis.

Data breaches in health care have increased by more than 30 percent from 2010 to 2011, according to the Ponemon Institute's December 2011 Second Annual Benchmark Study on Patient Privacy & Data Security. A data breach brings an average economic impact of $2.2 million, Ponemon reported.

"The HITRUST C-TAS is a major step forward in the availability of tools and knowledge for organizations to prepare and respond to cyber-incidents, and to better protect this critical industry," said Nutkis. 

As EHR software develops, managing security threats need to improve as well, according to Michael Wilson, vice president and chief information security officer at McKesson.

The HITRUST service is a "crucial" tool that will make health care data more "targeted, readily accessible and meaningful," Roy Mellinger, vice president and chief information security officer, WellPoint, said in a statement.

C-TAS packages include tech support as well as reports on incidents and threats such as malware. The reports will be geared toward specific roles such as security operations, investigations and management, said Nutkis.

Health care organizations will be able to use a Web-based system to notify HITRUST of suspicious code or other indicators, he said.