The U.S. Department of Health and Human Services' CISO shared how a new threat alert system for the health care industry will enhance the cyber readiness of the public and private sectors.
On Thursday, Kevin Charest spoke to SCMagazine.com about the initiative – a partnership effort between DHHS and the Health Information Trust Alliance (HITRUST).
The agency and HITRUST, which helped establish the Common Security Framework for protecting personal health and financial data, also teamed up earlier this year to announce ongoing cyber attack exercises, dubbed “CyberRX,” to test the industry's threat preparedness.
Now, the entities have announced that they will conduct monthly cyber threat briefings to help organizations understand risks impacting the industry. In addition, an alert system established by HITRUST, called “C3 Alert” will also be available to notify organizations of threats.
The alert system was designed to pinpoint high probability and high impact cyber threats targeting the industry, according to a release on the initiative.
In a Thursday interview, Charest told SCMagazine.com that the joint effort was born out of DHHS and HITRUST's continued collaboration in sharing basic threat information impacting the health care sector. Both entities have erected threat centers, he added.
“We don't have the ability to issue alerts to any and everybody, but what [DHHS] can do, and what we are doing, is partnering with folks like HITRUST who have a constituency,” Charest said, later adding that the system would become “self sustaining” with the input and feedback.
A press release explained that the free cyber alerts are to be issued anytime HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) “identifies a present and immediate cyber threat relevant to a large number of health care organizations, medical devices or systems.”
In addition, the monthly briefings (also free) will be held online and are set to begin next month. The briefings will convene for 60 to 75 minutes and will be targeted to health organizations of varying sizes and “cyber security maturity levels,” the release said. Organizations can sign up for the briefings and alerts online.
According to HITRUST's website, the events and alerts will be available to “qualified organizations,” defined as those employing a “function or activity involving the disclosure of individually identifiable health information, provided that said organization does not provide security products or services.”
Federal, state or local agencies may qualify to participate as well.