The Health Information Trust Alliance (HITRUST) performed a thorough review of the healthcare industry’s leading threat intelligence sharing and analysis group, the HITRUST Cyber Threat XChange (CTX), and published their findings and recommendations as The Health Industry Cyber Threat Information Sharing and Analysis Report. Unfortunately, the results weren’t ideal, particularly as they related to Indicators of Compromise (IOCs).
To understand the type of threats healthcare is up against, and to promptly implement targeted defenses against attacks, organizations must be able to consume quickly relevant cyber threat intelligence that tells them how to respond (including IOCs). To collect this information, the theory is “one organization’s attack is another’s defense.”
Two Key Findings
The report uncovered some unsavory statistics about how healthcare organizations are faring against the onslaught of cyber threats and attacks. Here are two key findings:
1. There are significant gaps in the collection and usability of IOCs.
Experts already surmised about the actual degree to which organizations consumed versus contributed IOCs. The report confirmed their fears and revealed:
- Only 5 percent of organizations are contributing IOCs
- Of that, 5 percent, only half of the IOCs added are “actionable” or useful in preventing or defending an attack without risk of a false positive.>
- At the same time, 85 percent of organizations are consuming IOCs
2. Organizations are not adequately identifying cyber threat indicators internally
This is a serious problem because organizations depend on situational awareness and cyber preparedness. If they can’t recognize cyber threats, they can’t defend against them or contribute IOCs to the HITRUST CTX to aid in the defense of others. In a comparison of indicators provided by participants using current cyber discovery methods versus breach detection systems, 286 times more IOCs were found by breach detection systems, 24 percent of which were new and entirely undiscovered.
What Healthcare Organizations Can Do to Protect Themselves
Moving forward, it’s crucial that participants can gather IOCs quickly, thoroughly and with accuracy. Failure to do so will continue to weaken the healthcare industry’s ability to collect threat intelligence and share experiences to defend better against up-and-coming attacks. Breach detection systems have been named by the HITRUST as the solution showing the greatest potential. Breach detection systems are a sensible investment, and practical to deploy and operate, no matter the size of your healthcare organization. Additionally, the report recommended the following:
- Create detailed requirements for IOC sharing to increase the number and quality of IOCs contributed to the HITRUST CTX.
- Establish an enhanced IOC sharing pilot group to measure benefits and identify issues.
- Evaluate methods to encourage organizational engagement through incentives. As of now, there is no guideline in place that regulates how much an organization contributes versus consumes. Therefore, there is no incentive for them to contribute at all.
- Provide HITRUST CTX with near real-time cyber threat indicator visibility (across particular segments). One way HITRUST is helping to make this happen is by making 50 Trend Micro Deep Discovery systems available to healthcare organizations in each segment of the industry. These systems will increase visibility into the cyber threats targeting each environment, and will submit IOCs to HITRUST CTX to aid in increasing situational awareness and preparedness across the entire industry.
HITRUST was created to expedite the detection of and defense against cyber threats that specifically target the healthcare industry. With participation from organizations in collecting and sharing IOCs, the healthcare landscape can become exponentially more secure against the rising frequency and sophistication of cyber threats and attacks.