HITRUST inquires organizations to offer more tight security assistance

The Department of Homeland Security works with security experts across industries to make better the collection and sharing of cyber threat data. Congressional members of the U.S. House Homeland Security Committee on the day of March 9 heard testimony from industry representatives on the value and effectiveness of working with DHS. For the healthcare sector, the worth of cyber threat information disseminated by the government can differ dramatically, said Daniel Nutkis, CEO of stakeholder security collaborative HITRUST, in prepared testimony. HITRUST asked the organizations to offer more tight security assistance.

The Cybersecurity Act of 2015 and Executive Order 13691 developed the necessity of industry information sharing and analysis organizations (ISAOs) to participate in the sharing of cyber data with the government and offered more tight security assistance, Nutkis pointed out.

Technical and operational problems surfaced when industry previously started sharing threat data through DHS’ Automated Indicator Sharing program (AIS). “They have since been addressed, but we would motivate greater engagement by DHS with AIS participants to make sure the alignment with ongoing and future needs,” Nutkis testified. That claimed, the work of DHS is benefiting the healthcare industry, and the engagement with the organization has been productive, he contended.

However, few government activities are undermining sharing programs in the private sector and among data sharing and analysis organizations, he added. “There are efforts underway that will deviate from this attempt by requiring healthcare agencies to merely share information straightly with the Department of Health and Human Services—an agency not even identified in the Cybersecurity Act of 2015 as affording safe harbor liability protections,” Nutkis told lawmakers.

In accordance to HHS, although, no one or any agency is required to report threat data to the agency. HITRUST asked the organizations to offer more tight security assistance.

The CISA law, he argued, places DHS at the center of data sharing with the private and civilian sector. “Since HITRUST has led the industry in the collection of indicators of compromise through the development of increased standards and collection practices, and was the first healthcare agency to start sharing bi-directionally with DHS’s AIS program, we find these efforts unnerving as they are surely contrary to the original intent of CISA and commitment of government to partner with industry through the Information Sharing and Analysis Organization program.”

The private sector, he further added, should be believed to be a partner with government partners and the government should have a universal and consistent approach when engaging industry.