U.S government agencies will work to release cyberthreat information faster to the health-care industry after a massive breach at hospital operator Community Health Systems, representatives of two agencies said.
While the FBI issued an alert about the Community Health Systems breach one day after it was announced, government agencies can still do more to warn health-care providers about ongoing threats, said Michael Rosanova, a supervisory special agency at the FBI.
It can be “frustrating” for health-care providers to get threat information from government agencies, Rosanova said during a briefing hosted Thursday by the Health Information Trust Alliance (HITRUST), a health-care cybersecurity vendor.
If cyberthreat information is classified by the government, the FBI and other agencies have to take additional steps before sharing the information, he said. “It’s not that easy, unfortunately, to take something with a fairly high security classification ... and get that in a useable context to people that need it,” Rosanova said.
In the Community Health Systems breach, “we did make every effort to get the industry the information that was being requested,” he added. “We did do the best that we could.”
The FBI and other agencies can do a better job of informing health-care providers about cyberthreats that are “about to break,” Rosanova said. The FBI wants to be more proactive with warnings, but in some cases, it won’t be able to share as much information as health-care providers would like because of national security issues, he said.
U.S. agencies are already looking for ways to learn from the Community Health Systems breach and concerns about the speed of information sharing, added Danell Castro, program manager at the Critical Infrastructure Information Sharing and Collaboration Program at the U.S. Department of Homeland Security.
Information sharing has come a long way, she said, but still can be improved. Vetting information takes time, but DHS is looking at ways to speed up the process, she said.
While Rosanova talking about health-care providers sometimes needing security clearances to get threat information, those clearance aren’t the “secret sauce,” Castro said. Instead, participating in a collaborative environment, such as HITRUST’s monthly threat briefing, will help drive forward more information sharing, she said.
“The more collaboration you do like this, the better off you will be,” he said.
The Community Health Systems breach was tied to the Heartbleed bug, a known vulnerability, with the breach happening earlier this year, when Heartbleed was at its peak, noted Roy Mellinger. vice president and CISO of health-care provider WellPoint.
The news of the breach raised many questions from WellPoint executives, Mellinger said.
The health-care industry’s cybersecurity efforts took some criticism following the announcement of the breach, but the industry has “come a long way in the last two or three years,” Mellinger said. Still, cybersecurity “practices across the entire industry are not as sufficiently robust as we would all like,” he added.
Mellinger called on U.S. agencies to communicate more quickly about threat information. In some cases, even advisories saying, “stay the course, this [threat] is nothing new” would calm executives and shareholders, he said.