An Opportunity for Sharing Information about Cyber Attacks
Dr. Karen B. DeSalvo and Nicole Lurie, M.D., M.S.P.H. | July 25, 2016
To better prevent attacks on health information technology, organizations need better visibility into what to expect and how to respond. Timely information on the nature of attacks is critical to that ability. To enable better dissemination of threat information, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR) released two Funding Opportunity Announcements (FOAs) to build the capacity of an Information Sharing and Analysis Organization (ISAO). This organization is being asked to:
- Issue warnings about potential cyber threats;
- Provide outreach and education that improves cyber security awareness;
- Equip Healthcare and Public Health sector stakeholders to take rapid actions in response to cyber threat information shared by the ISAO, and
- Facilitate cyber threat information sharing widely within the HPH sector, regardless of the size of the organization.
In short, the ISAO will create a more robust cyber information sharing environment, especially for smaller entities that may not have the resources to access such information on their own, by leveraging existing relationships. Through the resulting streamlined cyber threat information sharing process, HHS will be able to send cyber threat information to a single entity, which will be able to share that information widely to support stakeholders.
This is just the latest step in our cybersecurity efforts. As part of Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0, ONC identified the need to “coordinate with ASPR on priority issues related to cybersecurity for critical public health infrastructure.” For the past three years, ONC has worked closely with ASPR and other HHS offices and agencies and offices to facilitate cyber threat information sharing across the Healthcare and Public Health sector. They include:
- The Office of the Assistant Secretary for Administration (ASA),
- The Office of the Chief Information Officer’s (OCIO) Office of Information Security (OIS), and
- The Office of Security and Strategic Information’s (OSSI) Cyber Threat Intelligence Program (CTIP).
This work builds on two Executive Orders related to cybersecurity. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, designates HHS as the agency responsible for sharing cyber threat information with private sector organizations in the Healthcare and Public Health sector. Executive Order 13691, Promoting Private Sector Cybersecurity Information.