What are Cyber Threat Information Sharing Best Practices?

The best practices for cyber threat information sharing has been published by the Healthcare and Public Health Sector Coordinating Council (HSCC).

This new information is aimed at allowing healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to minimize cyber risk.

The new document adds to earlier published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC listed key Information Sharing and Analysis Organizations (ISAOs) for the healthcare arena. The most recent guidance document helps organizations determine what information to share, how to share the information, and how to safeguard any sensitive information they receive, as well as supplying best practices for obtaining internal and legal approvals for data sharing processes.

One of the main advantages to taking part in these programs is to learn about possible attacks and the mitigations to implement to prevent becoming a victim. If an attack occurs at one healthcare group, it is likely that similar attacks will be performed on others. Through threat information sharing, healthcare groups can learn from others about attacks and mitigations so they can prepare and improve their own security measures. This is especially important for healthcare groups with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity knowledge.

The threat landscape changes quickly and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep up to date of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to enhance patient safety through the development of trusted networks that help manage potential dangers.

The guidance document helps groups get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing targets and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be grouped, a governance body must be established, and sanitization rules must be formulated. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is 100% comprehended.

The HSCC cyber threat information sharing guidance lists the range of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response details.

HSCC said: “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks”.

The guidance also outlines best practices for sharing information, such as using the traffic light protocol and ensuring legal measures are established to protect against any liability, and also provides advice on who to share threat data with. The document ends with case studies showing how information can be shared to benefit the information sharing community and safeguard against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded here..