Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/22/2014
03:50 PM
50%
50%

Healthcare Industry, Feds Talk Information Sharing

Representatives from the healthcare industry as well as government discuss importance of threat intelligence-sharing in light of the Community Health Systems breach.

When Community Health Systems admitted it had been breached in April and June in a filing with the Securities Exchange Commission (SEC), it shined a spotlight on cybersecurity in the healthcare industry.

In the days since, reports have surfaced linking the incident to the Heartbleed vulnerability. As the details have trickled out, inside the industry the focus has been on getting information about the incident that could be used to prevent any similar attacks.

In its Monthly Cyber Threat Briefing, the Health Information Trust Alliance (HITRUST) and representatives from the FBI, Department of Homeland Security (DHS), Department of Health and Human Services (HHS), and healthcare company WellPoint to discuss the security challenges that are facing the industry and the importance of information sharing.

Many of the organizations that reached out in the aftermath of the revelation of the Community Health Systems breach wanted to know not only what happened, but also how they could communicate internally with their organization about the attack and mitigate any risks, Dan Mutkis, CEO of HITRUST explains in the briefing.

"Given the information we had [at the time], it was very difficult for us to provide that," he says.

FBI Supervisory Special Agent Michael Rosanova notes that the FBI sometimes has a difficult time sharing classified information about cyber attacks, adding that interacting with the private sector this way is relatively new to the FBI.

"Having spent nearly 20 years working both criminal cases and national security … [information sharing] was a one-way street, and now we're realizing as an organization that it's a partnership," he says in the briefing. "It's 50/50. And we're now understanding that we have to build that bridge and make that a strong … partnership, and we're trying to determine how best to do that, while also maintaining the integrity of the intelligence that we have.

"If we have information that needs to get to you, we'll do the best we can to get it to you as expeditiously as possible," says Rosanova.

Jason Lay, senior threat analyst and manager for cyber threat information at HHS, echoed Rosanova's comments, stating that HHS was constantly looking for ways to refine the procedures for interacting with the private sector.

That may very well be good news for the healthcare industry, which increasingly has been the target of attacks. According to Websense, there has been a significant global spike in malicious activity attempted against hospitals beginning in October 2013. August 2014 has seen a 600 percent increase in such activity, compared to the average amount prior to October, according to the firm.

"Healthcare professionals also have an increased tendency to try and get around IT security policy in order to better serve their patients," Charles Renert, vice president at Websense Security Labs, says in an email. "The stakes couldn’t be higher. When a doctor or nurse needs access to computing resources or data because a patient’s health is at risk, IT policy takes a back seat in the heat of the moment and can lead to increased risk to cyber threats or insecure access and storage of sensitive information."

The industry has a large footprint for exposure compared to other industries, due to the amount of information sharing that has to go on between everyone from physicians, clinics, pharmacies, and other parties, notes WellPoint CISO Roy Mellinger in the HITRUST briefing.

"It really is an interesting time, I think, to be a healthcare CISO or the person responsible for security in healthcare," says Mellinger. "It doesn’t matter if you’re an insurer or a payer, if you're a hospital or a provider, or a device manufacturer. We're all in this together."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...