The National Institute for Standards and Technology (NIST) published on Oct. 29, 2014 a “Draft Guide to Cyber Threat Information Sharing.” The NIST guide highlights the importance and benefits of information sharing among organizations and provides practical advice on how this can be accomplished, best practices for doing so, and different methods for setting up information sharing groups.
The draft guide can be found by clicking on: http://tinyurl.com/lyy4j4k. A final version of the document is anticipated during the first quarter of this year.
The NIST information sharing guide highlights the importance of organizations developing mature cybersecurity capabilities that in turn would allow the organization to give and get the most out of information-sharing relationships by, for example, taking action when actionable cyber intelligence is provided. In addition, the guide notes the importance of using open, standard data formats and transport protocols when sharing information among multiple organizations to ensure that no time is lost converting or understanding the importance of the information.
The guide presents two main models of the architecture of an information-sharing relationship – centralized and peer to peer – and describes the benefits and risks of each. The centralized model, also known as a hub and spoke model, offers such benefits as the aggregation, correlation, and analysis of information from multiple sources, as well as the ability to sanitized or remove attribution from those providing the data.
The major risk for a centralized system, however, is that it is dependent on the infrastructure of the “hub” organization: Because the hub is collecting data from multiple sources, the hub itself can become a prime target for an attack. The peer-to-peer model is less vulnerable to an attack on one entity shutting down the entire network, and has the benefit of allowing information to flow directly from one organization to another (or a group of others), rather than delaying the distribution of the information. However, the peer-to-peer network may be hindered by organizations not using the same information-sharing formats and methodologies and the costs of sharing and analyzing shared data can grow dramatically as the network grows.
NIST’s draft is consistent with its emphasis on information sharing in the “Cybersecurity Framework for Improving Critical Infrastructure” released in February 2014. Sharing cybersecurity information – from best practices to new threats and risks facing critical infrastructure sectors – was one of the key themes in the framework. For more, click on: http://tinyurl.com/msjgsde.
For the health care sector, the NIST guide hopefully will serve as a sermon to the choir. The health care sector has been one of the early adopters of information sharing and has set up the Information Sharing and Analysis Center, the National Health (NH) ISAC. Other groups, such as HITRUST, also provide cybersecurity guidance.
These types of organizations provide members access to a secure information exchange infrastructure to allow for the free flow of actionable cyber intelligence, situational awareness and incident response information, as well as white papers and reports detailing best practices for the industry.
They also sponsor programs and exercises throughout the year to ensure that members are up-to-date on the latest developments and practices. If your organization is not already part of an information-sharing endeavor, we encourage you to consider the benefits of joining one, and the risks of not doing so.
In each of the last three Congresses, legislation to encourage and facilitate information sharing has been introduced, and President Obama recommended information-sharing legislation in his State of the Union address. In light of heightened cybersecurity concerns and incidents, there is a high likelihood that legislation mandating information sharing for owners and operators of critical infrastructure will pass either this year or next year.
Hospitals and health systems, as owners and operators of critical infrastructure, should take steps now to engage with existing opportunities for information sharing within the health care sector before any mandate is imposed. You can find information and links to such opportunities as well as other cybersecurity resources on the AHA’s website at www.aha.org/cybersecurity.