From the ASPR Blog: An Opportunity for Sharing Information about Cyber Attacks

www.phe.gov/ASPRBlog/pages/BlogArticlePage.aspx?PostID=201

An Opportunity for Sharing Information about Cyber Attacks

Author: Dr. Karen DeSalvo Acting Assistant Secretary for Health & Dr. Nicole Lurie, Assistant Secretary for Preparedness and Response
Published Date: 7/25/2016 9:58:00 AM
Category: Public Health Preparedness; Hospital Preparedness;

As recent news reports show, security breaches and ransomware attacks in the Healthcare and Public Health sector are on the rise.  Criminal cyber attacks against health care organizations are up 125 percent compared to five years ago, replacing employee negligence and lost or stolen laptops as the top cause of health care data breaches. The average consolidated total cost of a data breach was $3.8 million, a 23 percent increase from 2013 to 2015.

To better prevent attacks on health information technology, organizations need better visibility into what to expect and how to respond. Timely information on the nature of attacks is critical to that ability. To enable better dissemination of threat information, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR) released two Funding Opportunity Announcements (FOAs) to build the capacity of an Information Sharing and Analysis Organization (ISAO). This organization is being asked to:

• Issue warnings about potential cyber threats;
• Provide outreach and education that improves cyber security awareness;
• Equip Healthcare and Public Health sector stakeholders to take rapid actions in response to cyber threat information shared by the ISAO, and
• Facilitate cyber threat information sharing widely within the HPH sector, regardless of the size of the organization.

In short, the ISAO will create a more robust cyber information sharing environment, especially for smaller entities that may not have the resources to access such information on their own, by leveraging existing relationships. Through the resulting streamlined cyber threat information sharing process, HHS will be able to send cyber threat information to a single entity, which will be able to share that information widely to support stakeholders.

This is just the latest step in our cybersecurity efforts.  As part of Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0, ONC identified the need to “coordinate with ASPR on priority issues related to cybersecurity for critical public health infrastructure.” For the past three years, ONC has worked closely with ASPR and other HHS offices and agencies and offices to facilitate cyber threat information sharing across the Healthcare and Public Health sector. They include:

• The Office of the Assistant Secretary for Administration (ASA),
• The Office of the Chief Information Officer’s (OCIO) Office of Information Security (OIS), and
• The Office of Security and Strategic Information’s (OSSI) Cyber Threat Intelligence Program (CTIP).

This work builds on two Executive Orders related to cybersecurity. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, designates HHS as the agency responsible for sharing cyber threat information with private sector organizations in the Healthcare and Public Health sector. Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, encourages the development of ISAOs to serve as focal points for cybersecurity collaboration within the private sector and between the private sector and government.  

Establishing robust threat information sharing infrastructure and capability within the Healthcare and Public Health Sector is the foundation for the privacy and security of health information, which in turn builds trust in the digital health system. By continuing to lead, coordinate, and fund cyber threat information sharing capability for the Healthcare and Public Health sector, together we can continue to strengthen the security of the health care system data and ensure it is available when and where it is needed to help improve individuals’ health.

Find more information about both the ONC and ASPR Funding Opportunity Announcements on www.Grants.gov.