According to the US Department of Homeland Security (DHS), information sharing is a vital resource for critical infrastructure security and resilience. The healthcare and public health sector is one of the sixteen critical infrastructure sectors. Information sharing is essential to the protection of critical infrastructure (including healthcare). Additionally, information sharing may relate to threats, incidents, etc.
DHS defines a threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property. An incident, according to DHS, is an occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action.
In healthcare, information sharing is vital to the security and safety of the sector, and stakeholders within the sector.
A threat has not yet occurred (i.e., there is the potential of it occurring), but an incident has already occurred (or is actually occurring). Accordingly, the goal in security (and safety) is to stay ahead of the threat with situational awareness and, ideally, actionable intelligence about the threat (e.g., how to avoid it and what to do if an incident actually occurs).
Information sharing involving the healthcare and public health sector can occur in any of the following ways:
Information sharing is useful for all types of incidents and threats. Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat). Examples of threats and incidents include insider threats and associated insider threat incidents and cyber threats and cyber incidents (e.g., due to cyber-attacks or otherwise). In order to stay ahead of the threat, information sharing must be timely and effective. As always, if you see something, say something. Report the information to the appropriate point of contacts in your organization.
Everyone. Anyone can observe or obtain information about incidents and threats. It is ideal for your organization to have a formal information sharing program established, so that workforce members know whom to contact and under what circumstances. In addition, depending upon the situation, various individuals may be involved including individuals from cross-disciplinary teams: communications, legal, information technology, human resources, facilities and others. Information sharing may be internal or it may be external (i.e., with external parties), or a combination of international and external information sharing. (An example is a ransomware attack, which leads to a major breach of patient information that needs to be reported to the media and potentially others.)
You may have different considerations in regard to internal information sharing vs. external information sharing. There also may be a legal component and potentially even a public relations component to the information sharing. Thus, be sure to involve necessary team members early in the information sharing process. Nonetheless, the following are some factors to consider when putting together your organization’s information sharing plan (or enhancing it) vis-à-vis sharing information about threats and incidents:
Consider whether the privacy or security officer (or both) need to be involved.
Many incidents occur which involve privacy and/or security considerations. If a cybersecurity incident has occurred, be sure to involve your information technology (IT) security officer. This individual will be able to understand, communicate, and/or investigate the security incident at a technical level. Of course, some cybersecurity incidents necessary involve privacy issues (e.g., root cause of an incident, potential breaches of patient information, etc.), so be sure to involve your privacy officer, as appropriate.
If information sharing within your organization is not encouraged, it is likely that communication about incidents can be delayed for a significant amount of time. This may potentially harm the organization even further, due to the incident not being mitigated. Within a culture that does not encourage information sharing (e.g., for fear of losing one’s job, etc.), the reporting of incidents may be delayed for weeks and even months.
Information sharing matters because we all need to be aware of what is going on and understand the consequences of what may occur. We all can be the eyes and ears of an organization. In addition, we can be gatekeepers, in the sense of assisting our organizations in response to incidents as soon as they occur. As a result, the harm from any such incidents may be significantly mitigated with a timely response. In essence, good information sharing is a good privacy and security practice which helps protect our organizations and our patients.