The Health Information Trust Alliance (HITRUST) announced that it’s latest industry pilot project to improve the collection and sharing of cyber threat information is helping aid organizations in reducing their cyber risk.
Due to the successful pilot project, HITRUST, an organization focused on safeguarding health information systems and exchanges, also announced it is expanding the Enhanced IOC Collection program, and any organization meeting the criteria can request to participate. In addition, HITRUST will enable another 30 organizations in the Enhanced IOC Collection Pilot program, representing 15 health plans and 15 health systems. These organizations will be provided with Deep Discovery Technology from Trend Micro and associated installation, training, support, and integration with HITRUST Cyber Threat Xchange (CTX), a program to help healthcare organizations collect and share cyber threat information, the organization said.
Indicators of Compromise, or IOC, are shared data objects that describe, with a high degree of confidence, that an intrusion may have taken place or that a threat actor is operating within a target environment, according to a HITRUST press release. An IOC includes not only hard factual data, but also context and metadata that help describe the threat be understood and processed.
In the press release, HITRUST stated that the results of the Enhanced IOC Collection Pilot indicate that healthcare organizations can dramatically improve the timeliness, completeness, usability and volume of IOCs contributed to the HITRUST CTX by implementing the enhanced criteria—defined in the November 2015 review of the HITRUST CTX entitled Health Industry Cyber Threat Information Sharing and Analysis Report.
The HITRUST CTX was created to significantly accelerate the detection and response to cyber threats targeted at the healthcare industry. HITRUST CTX automates the process of collecting and analyzing cyber threats and distributing indicators in electronically consumable formats that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses, the organization said.
According to HITRUST, 100 percent of the Enhanced IOC Collection Pilot group members submitted IOCs during the 30-day period, compared to only a small percentage of organizations—5 percent—that previously contributed IOCs. Another way that the pilot project made a difference was that, during that same 30-day timeframe, 88 percent of the IOCs collected were unique—that is, not previously seen or identified by any open source, DHS CISCP, leading commercial feeds or otherwise provided to the HITRUST CTX. This increase in unknown, unique submissions means healthcare organizations can better prepare for and respond faster to new and emerging cyber threats, HITRUST stated.
The pilot also proved that threat information sharing shouldn’t be limited to only the largest organizations. HITRUST learned that the scalable sharing of IOCs is required throughout healthcare organizations of varying size, intelligence appetite, and security maturity, according to a HITRUST blog post.
The organization also asserts that given the recent rise in ransomware and other malware targeted at the healthcare industry, these pilot developments are significant as they ensure the collection and consumption of more relevant and timely IOCs that can be used by a much larger percentage of the healthcare industry.
“When cyber threat information is timely, consumable, actionable, and available to a much larger audience, it becomes a much more valuable resource in defending our environment and the entire healthcare eco-system against attacks,” said Omar, Khawaja, vice president and chief information security officer, Highmark Health, said in a statement.
The data from the Enhanced IOC Collection Pilot indicated that IOCs were reported to the HITRUST CTX on average 1.2 days before being seen or identified by any other open source, commercial, DHS CISCP, or user contributed feeds to the HITRUST CTX. And, the data indicated that IOCs where submitted in a matter of minutes to the HITRUST CTX compared to an average of 7 weeks after detection by those submitted previously. In addition, many organizations were not effectively identifying IOCs at all.
And, data from the pilot project also indicated that 95 percent of the IOCs contributed to the HITRUST CTX had metadata (i.e. malicious IPs, URLs or domains) that made them actionable for use by others, defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive. Previously only 50 percent of the IOCs contributed to the HITRUST CTX were considered actionable.
HITRUST also announced a number of enhancements to the platform and service for its HITRUST CTX, such as the new CTX Threat Analysis Reporting Service, which provides a method for organizations without SIEM technology to gain access to IOCs relevant to their environment.
“Many years ago, HITRUST recognized that the approaches taken by other industries with regards to cyber information sharing were not fully transferable to the healthcare industry,” Daniel Nutkis, CEO, HITRUST, said in a statement. “The pilot advancements in these two areas show that the CTX continues to evolve, improve, and lead by innovating and ensuring IOC sharing is providing the most value to the broadest group of constituents to help the healthcare industry reduce overall cyber risk.”