Breach Preparedness
,
Data Breach
,
Info Sharing
After Years Without an Official Coordinator, One Organization Will Get Grant Support
Marianne Kolbasuk McGee (HealthInfoSec) •
August 1, 2016
Karen DeSalvo, M.D., national coordinator for health IT
The Department of Health and Human Services will soon issue up to $1.75 million in grants to give a boost to just one organization that will take a lead role in cyber threat information sharing. A top priority of the ramped-up effort to help fight cyberattacks in the healthcare sector is to keep smaller organizations better informed of the latest risks.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
"Establishing robust threat information sharing infrastructure and capability within the healthcare and public health sector is crucial to the privacy and security of health information, which is foundational to the digital health system," said Karen DeSalvo, M.D., who heads HHS' Office of the National Coordinator for Health IT. "This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information."
The grants will support one information and sharing analysis organization, or ISAO, that has bi-directional capability to improve the exchange of cyber threat information with HHS and throughout the healthcare sector.
At least two cyber threat information sharing organizations - the National Health Information Sharing and Analysis Center, or NH-ISAC, and the Healthcare Information Trust Alliance - already serve the healthcare sector. Some observers, however, say efforts by both of these organizations so far have come up short when it comes to keeping smaller organizations well-informed.
NH-ISAC tells Information Security Media Group it plans to apply for the funding. It remains unclear whether HITRUST plans to apply.
Other Candidates?
While the HHS funding opportunity is open only to organizations that already have an infrastructure and provide cyber information sharing, some observers say NH-ISAC and HITRUST aren't the only potential candidates to compete for the grants.
"This is a government grant, so any not-for-profit can throw its hat in the ring and vie for the grant," says Mac McMillan, CEO of the security consulting firm CynergisTek. "The encouraging thing is that the NH-ISAC has been re-energized of late under [new president] Denise Anderson's leadership, and with the support of College of Healthcare Information Management Executives and other key healthcare organizations, it appears to be on course to join its counterparts in finance and other sectors where the ISAC is a real asset," he says.
"You'll find that whoever gets this grant will be required to develop a system to reach all sectors within healthcare by the government who always has its eye on the smaller provider, not just the big players who frankly can do this for themselves if they wanted to."
Many areas in cyber threat information sharing need improvement in the healthcare sector, McMillan contends. That includes, for example, "having an effective clearinghouse for where the information comes from and is vetted, having an effective mechanism or mechanisms for dissemination, formal cross-entity collaboration processes, etc."
An ONC spokesman tells ISMG: "We encourage every eligible organization to submit applications after which [HHS] will review them to select an ISAO for the healthcare and public health sector."
How Grants Will Be Awarded
ONC and the HHS Office of the Assistant Secretary for Preparedness and Response on July 25 announced two cooperative agreement funding opportunities. The combined funding for an ISAO in the first year will be worth $250,000, but the grant could be renewed for up to five years. ASPR and ONC are issuing separate funding opportunity announcements with scopes of work specific to each funding source, HHS notes. August 25 is the deadline to apply for the funding.
The development of an ISAO for healthcare was called for by the Obama administration under an executive order signed into law in February 2015, as well as in the Cybersecurity Information Sharing Act signed into law last November.
HHS says the grant funding will help expand the "bi-directional information sharing" and outreach of a currently functioning organization to include HHS and the entire public healthcare and healthcare sector. The grants, however, are "not intended to fund the awardee's entire operation," HHS says.
The organization receiving the grants will:
Provide
cybersecurity information and education on cyber threats affecting the healthcare and public health sector;
Expand outreach and education activities to ensure that information about cybersecurity
awareness is available to the entire healthcare and public health sector;
Equip stakeholders to take action in response to cyber threat information:
Facilitate
information sharing widely within the healthcare and public health sector, regardless of the size of the organization.
Potential Contenders
The NH-ISAC has already been working with HHS and others in the healthcare sector in sharing cyber information, notes Anderson, its new president. "The NH-ISAC recognizes the need for the healthcare and public health sector to receive information and education about threats more broadly as some of the smaller sector stakeholders are the most vulnerable. Many of our board members believe it is their mission to help out the more vulnerable organizations within the sector and that a rising tide floats all boats."
HITRUST, which already is a federally recognized ISAO in the healthcare sector, says in a statement provided to ISMG: "We have published numerous progress reports on the effectiveness of cyber information sharing within the healthcare industry and the efforts HITRUST, through our Cyber Threat Xchange [service], has taken and has planned to undertake to address and advance cyber information sharing in the industry. With that said, there is always room for more to be done."
The HHS grants are trying to make it more affordable for smaller public health and private healthcare entities to tap into cyber information sharing services, HITRUST notes. The organization claims that it already provides a cyber threat information exchange service "free of charge" to any healthcare or public health organization that wishes to join its ISAO.
Threat Info Sharing Lacking
Harris Health System, which was awarded a one-year, $150,000 HHS grant to help identify ways to share cyber threat information, will release its final report from that study by Sept. 30, says Jeffrey Vinson, CISO at the system.
The organization briefed HHS in March on some of the preliminary results of the first part of its study. "We discovered the healthcare sector wants to be able to share cyber threat information but doesn't currently have a way to do it, which isn't shocking," he says.
Vinson says he's not certain whether Harris will apply for the latest grant opportunity, "but given our knowledge and work in this area it would make sense if we did apply for a new grant."
Bolstering cyber information sharing in the healthcare sector is critical, Vinson says. "Cyber threat information is extremely important to the healthcare sector and public health because the industry lags behind the other industries when it comes to robust cybersecurity, and last year healthcare was under heavy attack," he says.
"Not many of us in the healthcare sector even understand how these organizations were breached, so we have no idea how to better protect ourselves from these attacks."