HITRUST Backs 'Community Defense' Approach to Health Care Cyber-Security

HITRUST is advocating a collaborative approach to cyber-security in response to a letter of inquiry sent by Sen. Jay Rockefeller to executives in health care and other industries.

As Congress reportedly prepares to push through a cyber-security bill next week that stalled this past summer, the Health Information Trust Alliance (HITRUST) has responded to a letter from Sen. Jay Rockefeller (D-W. Va.) on how to proceed with cyber-security.

HITRUST is a group of health care business, technology and information security leaders that provides guidance on risk management and protecting patient health information.

After the Cyber-Security Act of 2012 failed to pass, Rockefeller sent a letter on Sept. 19 to 500 CEOs, including many from health care organizations, to suggest that they conduct an audit of their level of preparedness for cyber-attacks. He inquired about what best practices companies are adopting to deal with cyber-threats.

HITRUST responded with a letter to Rockefeller that discussed the steps the health care industry has taken to guard against cyber-attacks.

"We wanted to make sure Sen. Rockefeller was aware that there already was a fair degree of collaboration," HITRUST CEO Dan Nutkis told eWEEK.

HITRUST launched the Cyber Threat Analysis Service (C-TAS) July 24 to provide intelligence on computer network threats facing the health care industry.

Rockefeller had called for government oversight of critical networks and a presidential executive order on cyber-security.

However, one solution won't solve the problem of cyber-security, according to Nutkis.

"For us, the key isn't one size fits all," said Nutkis. "Every industry believes that they've got specific circumstances; health care is no different."

In its letter to Rockefeller, HITRUST discussed how it was working on a "community defense model" for sharing cyber-threat intelligence, coordinated incident response and exchanging best practices.

"This 'community defense' model provides a trusted platform for health care organizations to share threat intelligence and best practices with each other and the government with certain anonymity and without undue scrutiny or liability," Nutkis wrote in his letter to Rockefeller.

"The [HITRUST Cyber Threat Intelligence and Incident Coordination] Center has established the legal and operating structure to ensure that only relevant information is shared with the Center and that information shared by the Center is done without identification of submitter or victim, facilitating increased willingness to participate."

For the community defense model, HITRUST partnered with BMC Software and runs its application on the Force.com cloud platform. It provides a platform for health care organizations to report data breaches, share information access about incidents instantaneously and coordinate with HITRUST personnel, said Nutkis.

Under the community defense model, "information gleaned from cyber-attacks becomes proactive information for others to learn from," according to Nutkis. "One person's incident becomes another organization's defense and prevents organizations from undergoing the same type of breach."

In dealing with cyber-threats, the health care industry is unique because of its mix of medical devices, electronic health records and advanced clinical systems that organizations must secure, said Nutkis.

Critical infrastructures also require easy access for patients and medical staff, he said.

"Health care, unlike other critical infrastructure sectors such as banking and finance and the defense industrial base, however, faces unique challenges when it comes to cyber-security," Nutkis wrote in his letter.

"The vast majority of the assets are privately owned and operated, highly interconnected with many points of entry, and represent a diverse range of companies, from Fortune 500 organizations down to small businesses, which number in the hundreds of thousands with inconsistent practices and varying levels of skills relating to information security," he wrote.