National Health Information Sharing & Analysis Center (NH-ISAC) is the official health care information sharing and analysis center, offering non-profit and for-profit health care stakeholders a community and forum for sharing cyber and physical security threat indicators, best practices and mitigation strategies. Membership is open to any health care stakeholder seeking protection of valuable PHI (personal health information) and IP (Health care-related Intellectual Property) and also compliance with Federal HITECH ACT, HIPAA-related privacy rights and NIST (National Institute of Standards and Technology) guidelines. NH-ISAC is a non-profit member-driven organization of owners and operators within the health care sector. Members include private & public hospitals, “ambulatory” providers, health insurance “payers,” pharmaceutical/biotech manufacturers, laboratory, diagnostic, medical device manufacturers, medical schools and medical R&D organizations. Joining NH-ISAC is one of the best ways health care and public health firms can actively participate to protect the industry and its vital role in critical infrastructure.

White paper on information sharing between private industry and the public sector. From NH-ISAC Threat Intelligence Committee, by Jim Routh, CSO Aetna Global Security.

NH-ISAC – “The healthcare industry has been hit with two significant and subsequent cyber challenges in recent weeks (WannaCry and Petya) both of which caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known; what is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC). In times of cyber crisis it is imperative for all enterprises to understand what the indicators of compromise (IOCs) are, how the malware works and spreads, and ultimately what controls are effective. These three steps appear to be simple but can be illusive without the right access to cyber communities that share resources and analysis. The HCCIC supported the emergency response team in the HHS Secretary’s Operations Center (SOC) throughout both the WannaCry and Petya incidents. The HCCIC is how HHS carries out its cybersecurity responsibilities as directed in Presidential Policy Directive 41 and the National Cyber Incident Response Plan from the US Computer Emergency Readiness Team or US-CERT. The NH-ISAC is the primary interface from the private sector for the HCCIC to share information and respond in times of business resiliency crisis.”

Infographic from the University of Illinois at Chicago. Contains key facts and statistics related to storing health data, digital storage methods, health data risks, and how to protect patients' data.

Reference: http://healthinformatics.uic.edu/resources/infographics/how-secure-is-your-data-assessing-and-mitigating-risks-for-electronic-health-records/

9/7/17 presentation from Jason Goldwater of National Quality Forum on Blockchain and its role in Health IT and Quality Measurement.

This paper presents the results of a research-oriented project to demonstrate that certain Data Segmentation for Privacy, orDS4P tasks can be enhanced through the use of clinical decision support (CDS) technology. It advances a novel use of CDS tools to 1) identify and sequester certain types of information from electronic medical records and to 2) help mitigate the potential risks of exchanging records from which data have been sequestered. The approach is called Decision Support for Data Segmentation, or DS2, builds upon standards-based open source CDS technology to create a familiar CDS-based platform for the development and testing of functions to identify and redact selected conditions from clinical summary documents in various contexts including Health Information Exchange (HIE) between healthcare providers. The DS2 prototype demonstrates how deterministic clinical rules and machine learning-based classifiers can work together to detect clinical facts that may imply a condition even if they are not directly related to the condition and how CDS at the point-of-care can potentially make use of clinical information even after it has been sequestered.

In January 2015, the Office of the National Coordinator for Health Information Technology (ONC) released the first draft of their Nationwide Interoperability Roadmap. The roadmap lays out the principles, requirements and strategies for enabling and managing interoperability within what it calls the “Learning Health System” (LHS), which represents a paradigm shift in the healthcare ecosystem within which organizations operate. Within this vision, the LHS will feel less like a collection of interoperable systems and more like one large virtual system, providing appropriate access to data where and when it is needed–both for clinical as well as analytic purposes. Many EHR vendors are putting up barriers to access data that comes into the EHR even if the data originates within an organization – often referred to as “information blocking,” which may lead to increased monetization of healthcare data. While the use by vendors of standards-based versus proprietary approaches to data access helps reduce some of these barriers, the strict use of standards by vendors does not guarantee that data will be accessible and available to the organizations that have already paid to capture and store it. This article will discuss the potential impact that the LHS will have on the development of interoperability standards within healthcare and the continuing evolution of electronic health records (EHRs) to meet this vision. This article will offer perspectives on how healthcare organizations can work to educate themselves and advocate for systems more supportive of the LHS’s emerging needs.

CHICAGO – June 26, 2017 - The American Health Information Management Association
(AHIMA) and the International Organization for Standardization Technical Committee 215
Health Informatics (ISO/TC 215) are pleased to announce the publication of a new educational
standard, “ISO/Technical Report (TR) 18638:2017, Health Informatics - Guidance on health
information privacy education in healthcare organizations”
(URL: https://www.iso.org/standard/63100.html).

Jason Goldwater explains how blockchain technology is used to foster the development of patient-reported outcome measures in a detailed white paper from the National Quality Forum.

Breaches and ransomware are a top concern for health and life sciences organizations worldwide. Whether ransomware, cybercrime hacking, insider accidents / workarounds, or other types of breaches, these tend to affect organizations lagging in security, and relatively vulnerable. How does the security of your organization compare to peers and the rest of the healthcare industry? Find out in this complementary (free), confidential, 1 hour workshop. This security benchmark engagement compares your organizations security maturity, priorities and readiness across 8 of the most common breach types, and capabilities across 42 key security capabilities with peer organizations of a similar locale, focus and size, as well as against the healthcare industry as a whole. The confidential, encrypted report issued back to your healthcare organization after participating in this workshop also maps your capabilities and gaps to a range of regulations, data protection laws, and standards including HIPAA, NIST, PCI DSS, CIS, ISO2700x, GDPR, ISO80001, and EU/MDR 2017/745. Any health and life sciences organization that works with sensitive patient information is eligible to participate, including business associates and data processors. This workshop is hosted by the Infragard CHWG (Cyber Health Working Group), a cybersecurity information sharing forum coordinated by the FBI. Are you a member of Infragard CHWG at https://www.intelligence.healthcare/? If not we strongly encourage you to join. This too is a free resource. This is a fantastic resource to connect with security professionals across a vast range of health and life sciences organizations to share threats, vulnerabilities, best practices, and so forth. Once you join CHWG and login at https://www.intelligence.healthcare/ you can find this workshop top right under Webinars, Monthly Webinar Recordings, 2017 May - Intel's Healthcare Security Readiness Workshop. To find out more about the Intel Healthcare Security Readiness Program, including a concise overview and sample report, see http://Intel.com/SecurityReadiness.