Health industry on Obama cybersecurity order: Sharing threat data doesn't have to endanger consumer data

Participants in the White House Summit on Cybersecurity and Consumer Protection on Friday focused on the need for industry and government to share information to thwart criminals, but at the same time protect consumer privacy, according to a Network World article.

Kaiser Permanente Chairman and CEO Bernard J. Tyson said it's important for the public to understand that data-sharing on cyberthreats doesn't pose the danger of exposing their insurance and healthcare information.

And, in an apparent swipe at Google, Apple CEO Tim Cook criticized companies that sell personal information about customers' browsing habits and email to advertisers.

During his State of the Union Address, President Barack Obama announced a cybersecurity plan to increase sharing of information on cyberthreats by offering the private sector protection from liability. In an associated executive order signed Friday, the president outlined a plan to create information sharing and analysis organizations (ISAOs) to serve as hubs for this activity, to set voluntary standards and to streamline private-sector companies' ability to access classified cybersecurity threat information, according to a White House fact sheet.

The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of those ISAOs.

"In the past, there has been some confusion on who in the private sector companies can turn to in order to work with their government partners. With the steps outlined in the President's Executive Order it is clear that ISAOs are that focal link," the organization said in a statement.

As evidence, it points to the recent breach of health insurance company Anthem. Within an hour after Anthem posted to the HITRUST CTX cyberthreat early warning system, the organization notified the departments of Homeland Security, Health and Human Services and U.S. CERT, which in turn notified other industry ISAOs.

One of the lessons from the cyberattack simulation CyberRX last spring was that healthcare organizations tend to play it too close to the vest when sharing information about best practices, which would better serve the industry as a whole.

To learn more:
- read the article
- check out the WH fact sheet
- here's the HITRUST statement