HITRUST Pilot and Combating Ransomware

HITRUST-twitter-200Enhancements to ISAO Address Gaps in Collection and Consumption of Cyber Threat Indicators of Compromise (IOCs) for Healthcare Organizations

The Health Information Trust Alliance (HITRUST) (@HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection, has released findings from an industry pilot to evaluate methods to improve the collection and sharing of cyber threat Indicators of Compromise (IOCs) and enable their effective consumption by a broad range of organizations. In response to these findings, HITRUST is also announcing enhancements to the platform and service for its HITRUST Cyber Threat XChange (CTX), the health industry’s Information Sharing and Analysis Organization (ISAO), to aid organizations in reducing their cyber risk.

Results of the Enhanced IOC Collection Pilot indicate that healthcare organizations can dramatically improve the timeliness, completeness, usability and volume of IOCs contributed to the HITRUST CTX by implementing the enhanced criteria – defined in the November 2015 review of the HITRUST CTX entitled “Health Industry Cyber Threat Information Sharing and Analysis Report.” For the first time, 100% of the Enhanced IOC Collection Pilot group members submitted IOCs during the 30-day period. This vast improvement was of additional significance given the fact that, during the same 30-day timeframe, 88% of the IOCs collected by the pilot were unknown – that is, not previously seen or identified by any open source, DHS CISCP, leading commercial feeds or otherwise provided to the HITRUST CTX.

This increase in unknown submissions means not only that healthcare organizations can better prepare for and respond faster to new and emerging cyber threats, but also that cyber information sharing plays a more critical role in an organization’s overall cyber defense strategy.

The pilot also proves that threat information sharing does not need to be limited to the largest organizations and that the scalable sharing of IOCs can be achieved throughout healthcare organizations of varying size, intelligence appetite, and security maturity.

While the HITRUST CTX directly integrates with the market’s leading SIEM technologies, supports STIX and TAXII exchange formats, and offers an API, many smaller organizations haven’t deployed these capabilities and are unable to contribute or consume IOCs. To address this obstacle, HITRUST is now providing support for these environments with its new CTX Threat Analysis Reporting Service, which provides a method for organizations without SIEM technology to gain access to IOCs relevant to their environment.

Given the recent rise in ransomware and other malware targeted at the healthcare industry, these pilot developments are extremely significant as they ensure the collection and consumption of more relevant and timely IOCs that can be used by a much larger percentage of the healthcare industry and ultimately bolster the overall cyber posture of this segment of the nation’s critical infrastructure.

“When cyber threat information is timely, consumable, actionable, and available to a much larger audience, it becomes a much more valuable resource in defending our environment and the entire healthcare eco-system against attacks,” said Omar, Khawaja, Vice President and Chief Information Security Officer, Highmark Health.

Addressing Gaps in Collection and Consumption of Cyber Threat Indicators

The data from the Enhanced IOC Collection Pilot demonstrated the ability to collect and report IOCs addressing these gaps:

  1. Percentage of IOCs Seen First: In the past 30 days 88% of the IOCs collected were unique and not seen or known by any other open source, commercial, DHS CISCP, or user contributed feeds available to the HITRUST CTX.
  2. Percentage of Organizations Contributing IOCs: 100% of organizations reported IOCs to the HITRUST CTX compared to only a small percentage of organizations – 5% – that previously contributed IOCs.
  3. Average Time IOCs Seen First: IOCs were reported to the HITRUST CTX on average 1.2 days before being seen or identified by any other open source, commercial, DHS CISCP, or user contributed feeds to the HITRUST CTX.
  4. Average Time from Detection to Submission: IOCs were submitted in a matter of minutes to the HITRUST CTX compared to an average of 7 weeks after detection by those submitted previously. In addition, many organizations were not effectively identifying IOCs at all.
  5. Percentage of Actionable IOCs: 95% of the IOCs contributed to the HITRUST CTX had metadata (i.e. malicious IPs, URLs or domains) that made them actionable for use by others, defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive. Previously only 50% of the IOCs contributed to the HITRUST CTX were considered actionable.

Additionally, the enhanced pilot improved situational awareness and predictive threat modeling with the ability to correlate IOCs and Indicators of Attack (IOAs) between organizations to identify attack patterns and alert participants about IOCs and IOAs.

“Many years ago, HITRUST recognized that the approaches taken by other industries with regards to cyber information sharing were not fully transferable to the healthcare industry,” said Daniel Nutkis, CEO, HITRUST. “The pilot advancements in these two areas show that the CTX continues to evolve, improve, and lead by innovating and ensuring IOC sharing is providing the most value to the broadest group of constituents to help the healthcare industry reduce overall cyber risk.”

Read the HITRUST blog titled “Threat Information Sharing: An Increasingly Effective Weapon for Fighting Ransomware and Other Cybercrime” for more information.