According to the U.S. Department of Homeland Security (DHS), information sharing is a vital resource for critical infrastructure security and resilience. The healthcare and public health sector is one of 16 critical infrastructure sectors. Sharing information is the key to understanding what is happening in regard to current threats (e.g., physical, biological, cyber, or otherwise), incidents that have occurred and mitigations.
DHS defines a threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property. An incident, according to DHS, is an occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action.
In healthcare, sharing information is vital to the security and safety of the sector, and stakeholders within the sector.
A threat has not yet occurred (i.e., there is the potential of it occurring), but an incident is an event that has already occurred. Accordingly, it is vital to understand what threats are possible, the probability of such threats occurring and how to be prepared for actual incidents that may arise (based upon lessons learned from others). Situational awareness and preparation are essential for all organizations that wish to have a proactive security posture.
It can occur in many ways and may be internal or external:
Sharing information is useful for all types of incidents and threats. Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat). An example of a threat is phishing. When the phishing attempt is successful (e.g., a recipient of a phishing e-mail clicks on a malicious link, which leads to malware being installed on his or her machine), it then becomes a security incident.
In order to stay ahead of a threat, information must be shared in an accurate, timely and effective manner. For example, organizations may share information about phishing campaigns they have experienced in order to warn others about them. Phishing campaigns can leverage current news and events, such as the COVID-19 pandemic and the CURES Act. Thus, workforce members may be tricked into falling prey to various phishing emails and websites as a result of curiosity about the email or website or otherwise.
Additionally, if you see something, say something. Report the information to the appropriate point of contacts in accordance with your organization’s policies.
It is ideal for your organization to have a formal program for sharing information. Everyone in an organization can play an active part in the program. Cybersecurity team members may proactively monitor new, evolving and existing threats and mitigations. Other internal team members can do their part by reporting suspected threats and incidents (e.g., notifying the cybersecurity team of phishing emails, social engineering calls, ransomware attempts, etc.).
To be clear, being proactive about the sharing of information involves situational awareness and communication across the organization with all hands on deck. In addition, depending upon the situation, individuals from across the organization may be involved, such as those in communications, legal, information technology, human resources, facilities and others.
The following is a non-exhaustive list of questions to consider when putting together or enhancing your organization’s plan for sharing information:
Many incidents occur which involve privacy and/or security considerations. If a cybersecurity incident has occurred, be sure to involve your IT security officer. This individual will be able to understand, communicate and/or investigate the security incident at a technical level. Of course, some cybersecurity incidents necessary involve privacy issues (e.g., root cause of an incident, potential breaches of patient information, etc.), so be sure to involve your privacy officer, as appropriate.
If sharing information within your organization is not encouraged, it is likely that communication about incidents can be delayed for a significant amount of time. This may potentially harm the organization even further, due to the incident not being mitigated. Within a culture that does not encourage the sharing of information—for fear of losing one’s job, etc.—the reporting of incidents may be delayed for weeks and even months.
Sharing information matters because we all need to be aware of what is going on and understand the consequences of what may occur.
We all can be the eyes and ears of an organization. We can also be gatekeepers, in the sense of assisting our organizations in response to incidents as soon as they occur. As a result, the harm from any such incidents may be significantly mitigated with a timely response.
In essence, good information sharing is a good privacy and security practice which helps protect our organizations and our patients.
December 7–8, 2020 | Digital Conference
Get the latest updates on cyberthreats, explore how to maximize your existing technology investments, hear best practices on creating a security-first culture; take away strategies to fill the gap in finding talented staff and learn how to create a resilient security framework.
Originally published 14 July 2020; updated 16 June 2020