There are substantial gaps in the collection and usability of indicators of compromise (IOCs), according to findings from the Health Information Trust Alliance (HITRUST).

The report on the HITRUST Cyber Threat XChange (CTX) found that only 5 percent of organizations contributed IOCs while 85 percent consumed them. Additionally, of the IOCs contributed to the HITRUST CTX in the sampling period, only 50 percent were considered “actionable,” defined as being useful in allowing preventative or defensive action to be taken without a significant risk of a false positive.  

The findings also show that many organizations are not effectively identifying cyberthreat indicators internally and, therefore, are unable to contribute them to the HITRUST CTX. When comparing indicators contributed by participants using current cyber discovery methods versus what was detected using breach detection systems during the reporting period, it was found that 286 times more IOCs were identified. Also, 24 percent of those identified IOCs were new and not previously submitted by any source to the HITRUST CTX.

A significant part of the equation for improving the efficacy of threat intelligence sharing is the ability of participants to gather IOCs quickly, accurately and completely and share in near real-time with the HITRUST CTX. The accuracy, timeliness and completeness of an IOC directly relates to making an indicator actionable. IOCs become less valuable over time and need to contain a minimum dataset in order for them to deliver optimum value.

“Cyberthreat intelligence sharing still holds the greatest potential to enhance situational awareness and improve organizational cyber preparedness,” said Daniel Nutkis, CEO of HITRUST. “Development of the IOC collection requirements and our deployment of breach detection systems are a big step forward in advancing industry’s cyber intel sharing capability.”

In addition to the findings, the report identifies requirements, guidance and recommendations regarding the sharing and submission of cyber indicators, including:

• Establish detailed requirements for IOC sharing. The current lack of clear guidance on IOC sharing has led to an overall reduced quality of IOCs.
• Commence an enhance IOC sharing pilot to quantify the benefits and identify any issues. A pilot group has been convened to evaluate the benefits to participating organizations and industry as well as any risks or concerns.
• Evaluate methods to incentivize organizations to actively engage in cyberthreat information sharing. There are no incentives now.
• Ensure HITRUST CTX has near real-time cyberthreat indicator visibility across key segments of the health industry. To ensure IOC collection, HITRUST will make available free of charge 50 Trend Micro Deep Discovery systems to healthcare organizations representing each segment of the healthcare industry. HITRUST is developing selection criteria to identify organizations to receive one of the systems. 

Read the entire report.