Threat Intel Sharing Project: A CISO Leads the Way

Harris Health System is spearheading an effort to help the federal government and the healthcare industry improve cyber threat information sharing. CISO Jeffrey Vinson explains how his team at the Houston, Texas-based integrated healthcare delivery system will carry out that mission.

The U.S. Department of Health and Human Services recently awarded a $150,000 one-year grant to Harris Health System to help identify ways to share cyber threat information and protect the critical infrastructure of the nation's public and private healthcare sectors.

"The goal of the grant is to first identify gaps and the need for improvement in healthcare to understand the cyber threats ... that healthcare faces on a daily basis," Vinson, who formerly worked at the National Security Agency, says in an interview with Information Security Media Group.

"Once we identify the gaps and collaborate across the enterprise and the nation ... what we need to do moving forward [is] to build a collaborative system ... to allow us to understand how to leverage this information to better protect the healthcare sector."

Tapping Expertise

Harris Health System will be tapping its security expertise in leading the specialized research project. "We feel we have a very robust information security program," Vinson says. "We look at threats and vulnerabilities, and we manage those vulnerabilities. We understand on a daily basis our vulnerability posture, who's trying to attack us - we understand what's at stake here in protecting our patients' information. This grant will allow us to leverage our information here at our organization and spread this across the entire sector."

Project leaders will attempt to gain a better understanding of how various healthcare organizations are being attacked, Vinson says, as well as "the threat vectors they are dealing with and the technologies they are using ... and find out what they're missing. It will allow us to build a plan moving forward to where we can collaboratively talk across the industry and better protect the information we all hold."

In the interview (see audio link below photo), Vinson also discusses:

• How the research led by Harris Health fits in with the Obama administration's call earlier this year for the creation of new information sharing and analysis organizations, or ISAOs, to share cyber-intelligence within the private sector and between the private sector and government, as well as with existing information sharing organizations, such as the National Health Information Sharing and Analysis Center, or NH-ISAC, and the Health Information Trust Alliance, or HITRUST;
• Why healthcare organizations need to expand the focus of their security programs beyond the requirements of HIPAA and implement technologies, such as encryption of data at rest, even though the regulations don't mandate that;
• The impact of recent major cyberattacks on health insurers, including Anthem Inc. and Premera Blue Cross, and the top security and privacy challenges facing the healthcare sector in 2016.

Vinson is vice president and CISO at Harris Health System, which includes 23 community health centers and several hospitals. He has more than 20 years of information security leadership experience, including work in the military, financial services and healthcare sectors, as well as the federal government. He previously worked as a technical director at the National Security Agency. Vinson led penetration testing exercises while working at NSA, and he has created security operations teams for financial services and healthcare organizations.