Blog

Information Sharing: What is it? How to do it? Why Does It Matter?

 

What is information sharing?

According to the US Department of Homeland Security (DHS), information sharing is a vital resource for critical infrastructure security and resilience. The healthcare and public health sector is one of the sixteen critical infrastructure sectorsInformation sharing is essential to the protection of critical infrastructure (including healthcare). Additionally, information sharing may relate to threats, incidents, etc.

 

DHS defines a threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property. An incident, according to DHS, is an occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action.

In healthcare, information sharing is vital to the security and safety of the sector, and stakeholders within the sector.

What is the difference between a threat and an incident?

A threat has not yet occurred (i.e., there is the potential of it occurring), but an incident has already occurred (or is actually occuring). Accordingly, the goal in security (and safety) is to stay ahead of the threat with situational awareness and, ideally, actionable intelligence about the threat (e.g., how to avoid it and what to do if an incident actually occurs).

 

 

How does information sharing work in the healthcare and public health (HPH) sector?

Information sharing involving the HPH sector can occur in any of the following ways:

  • Information sharing may occur within an organization.
  • It may occur between or among several organizations.
  • It may occur sector-wide.
  • Or, it may occur between or among several critical infrastructure sectors and/or industries.

 

Information sharing is useful for all types of incidents and threats. Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat). Examples of threats and incidents include insider threats and associated insider threat incidents and cyber threats and cyber incidents (e.g., due to cyber-attacks or otherwise). In order to stay ahead of the threat, information sharing must be timely and effective. As always, if you see something, say something. Report the information to the appropriate point of contacts in your organization.

 

What team members may be involved in information sharing?

Everyone. Anyone can observe or obtain information about incidents and threats. It is ideal for your organization to have a formal information sharing program established, so that workforce members know whom to contact and under what circumstances. In addition, depending upon the situation, various individuals may be involved including individuals from cross-disciplinary teams: communications, legal, information technology, human resources, facilities and others. Information sharing may be internal or it may be external (i.e., with external parties), or a combination of international and external information sharing. (An example is a ransomware attack, which leads to a major breach of patient information that needs to be reported to the media and potentially others.)

 

Putting together (or enhancing) an information sharing plan

You may have different considerations in regard to internal information sharing vs. external information sharing. There also may be a legal component and potentially even a public relations component to the information sharing. Thus, be sure to involve necessary team members early in the information sharing process. Nonetheless, the following are some factors to consider when putting together your organization’s information sharing plan (or enhancing it) vis-à-vis sharing information about threats and incidents:

 

Threats:

  1. What is the threat?
  2. What are the indicators associated with the threat?
  3. Is there a way to mitigate (or a workaround)?
  4. How did you find out about the threat?
  5. Is the threat affecting the healthcare sector or an allied sector?
  6. What damage, consequence, or impact is associated with the threat?
  7. Important: Are the right members of the team involved? Are they available? What is the contingency plan if one or more individuals are not available?

 

Incidents:

  1. What happened?
  2. How did you discover it?
    1. From someone else?
    2. Direct knowledge or experience?
  3. What is the loss, harm or damage?
  4. What is the proof (or evidence)?
  5. Has the proof (or evidence) been preserved and is there a chain of custody?
  6. Can you provide a narrative of what happened?
  7. Has the appropriate points of contact within the organization been notified?
  8. Have policies been followed in handling the incident?
  9. Important: Are the right members of the team involved? Are they available? What is the contingency plan if one or more individuals are not available?

 

Consider whether the privacy or security officer (or both) need to be involved.

Many incidents occur which involve privacy and/or security considerations. If a cybersecurity incident has occurred, be sure to involve your information technology (IT) security officer. This individual will be able to understand, communicate, and/or investigate the security incident at a technical level. Of course, some cybersecurity incidents necessary involve privacy issues (e.g., root cause of an incident, potential breaches of patient information, etc.), so be sure to involve your privacy officer, as appropriate.

 

Is there a culture of information sharing in your organization?

If information sharing within your organization is not encouraged, it is likely that communication about incidents can be delayed for a significant amount of time. This may potentially harm the organization even further, due to the incident not being mitigated. Within a culture that does not encourage information sharing (e.g., for fear of losing one’s job, etc.), the reporting of incidents may be delayed for weeks and even months.

 

 

Why information sharing matters

Information sharing matters because we all need to be aware of what is going on and understand the consequences of what may occur. We all can be the eyes and ears of an organization. In addition, we can be gatekeepers, in the sense of assisting our organizations in response to incidents as soon as they occur. As a result, the harm from any such incidents may be significantly mitigated with a timely response. In essence, good information sharing is a good privacy and security practice which helps protect our organizations and our patients.