Health Information Exchange

Information Sharing: What Is It? How to Do It? Why Does It Matter?

by Lee Kim, JD, CISSP, CIPP/US, FHIMSS, Director Privacy and Security, HIMSS
Information sharing through a virtual meeting

Lee Kim, JD, CISSP, CIPP/US, FHIMSS

According to the U.S. Department of Homeland Security (DHS), information sharing is a vital resource for critical infrastructure security and resilience. The healthcare and public health sector is one of 16 critical infrastructure sectors. Sharing information is the key to understanding what is happening in regard to current threats (e.g., physical, biological, cyber, or otherwise), incidents that have occurred and mitigations.

DHS defines a threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property. An incident, according to DHS, is an occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action.

In healthcare, sharing information is vital to the security and safety of the sector, and stakeholders within the sector.

A threat has not yet occurred (i.e., there is the potential of it occurring), but an incident is an event that has already occurred. Accordingly, it is vital to understand what threats are possible, the probability of such threats occurring and how to be prepared for actual incidents that may arise (based upon lessons learned from others). Situational awareness and preparation are essential for all organizations that wish to have a proactive security posture.

How Does Information Sharing Work in the Healthcare and Public Health Sector?

It can occur in many ways and may be internal or external:

  • Within an organization
  • Peer-to-peer
  • Between or among several organizations
  • Across the sector
  • Between or among one or more critical infrastructure sectors and/or industries
  • With law enforcement
  • With regulators
  • With the media

Sharing information is useful for all types of incidents and threats. Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat). An example of a threat is phishing. When the phishing attempt is successful (e.g., a recipient of a phishing e-mail clicks on a malicious link, which leads to malware being installed on his or her machine), it then becomes a security incident.

In order to stay ahead of a threat, information must be shared in an accurate, timely and effective manner. For example, organizations may share information about phishing campaigns they have experienced in order to warn others about them. Phishing campaigns can leverage current news and events, such as the COVID-19 pandemic and the CURES Act. Thus, workforce members may be tricked into falling prey to various phishing emails and websites as a result of curiosity about the email or website or otherwise.

Additionally, if you see something, say something. Report the information to the appropriate point of contacts in accordance with your organization’s policies.

What Team Members Should be Involved in Information Sharing?

It is ideal for your organization to have a formal program for sharing information. Everyone in an organization can play an active part in the program. Cybersecurity team members may proactively monitor new, evolving and existing threats and mitigations. Other internal team members can do their part by reporting suspected threats and incidents (e.g., notifying the cybersecurity team of phishing emails, social engineering calls, ransomware attempts, etc.).

To be clear, being proactive about the sharing of information involves situational awareness and communication across the organization with all hands on deck. In addition, depending upon the situation, individuals from across the organization may be involved, such as those in communications, legal, information technology, human resources, facilities and others.

What Should Be Considered When Putting Together or Enhancing an Information Sharing Plan?

The following is a non-exhaustive list of questions to consider when putting together or enhancing your organization’s plan for sharing information:

Threats:

  1. What is the threat?
  2. What are the indicators associated with the threat?
  3. Is there a way to mitigate (or a workaround)?
  4. How did you find out about the threat? Who reported the threat?
  5. What damage, consequence, or impact is associated with the threat?
  6. Are the right members of the team involved? Are they available? What is the contingency plan if one or more individuals are not available (for any reason)?
  7. Have the workforce members been made aware of the relevant threat(s)? How are workforce members educated about the threat(s)? How are the threat(s) communicated to workforce members? Is there regular security awareness training? Does a mechanism exist for workforce members to communicate suspected threats and incidents to the appropriate points of contact in the organization (e.g., IT security office or IT helpdesk)?

Incidents:

  1. What happened?
  2. How was the incident discovered?
  3. Who reported the incident?
  4. What is the loss, harm or damage that resulted from the incident?
  5. Has the incident been documented?
  6. Have the appropriate points of contact been notified in line with appropriate policies?
  7. Is the incident response team communicating and coordinating appropriately with others (e.g., privacy officer, security officer, legal counsel, etc.)?
  8. Has the incident been appropriately triaged?
  9. Is the appropriate team member responding to the incident?
  10. Do workforce members know who to report suspected incidents to?

Many incidents occur which involve privacy and/or security considerations. If a cybersecurity incident has occurred, be sure to involve your IT security officer. This individual will be able to understand, communicate and/or investigate the security incident at a technical level. Of course, some cybersecurity incidents necessary involve privacy issues (e.g., root cause of an incident, potential breaches of patient information, etc.), so be sure to involve your privacy officer, as appropriate.

Is There a Culture of Information Sharing in Your Organization?

If sharing information within your organization is not encouraged, it is likely that communication about incidents can be delayed for a significant amount of time. This may potentially harm the organization even further, due to the incident not being mitigated. Within a culture that does not encourage the sharing of information—for fear of losing one’s job, etc.—the reporting of incidents may be delayed for weeks and even months.

Why Sharing Information Matters

Sharing information matters because we all need to be aware of what is going on and understand the consequences of what may occur.

We all can be the eyes and ears of an organization. We can also be gatekeepers, in the sense of assisting our organizations in response to incidents as soon as they occur. As a result, the harm from any such incidents may be significantly mitigated with a timely response.

In essence, good information sharing is a good privacy and security practice which helps protect our organizations and our patients.

Cybersecurity and Security Incidents in Healthcare Infographic

Healthcare organizations face a barrage of significant security incidents in addition to the challenges faced during the COVID-19 pandemic. Get key insights into what the landscape looks like in this infographic.

Check out the infographic

Originally published July 14, 2020; updated June 16, 2020

Tags: Health Information Exchange, Cybersecurity and Privacy, Data and Information
Published on June 16, 2020

Related