Following news of the breach of the U.S.'s second-largest health insurer, Anthem, where hackers accessed and obtained tens of millions of current and former customer and employee accounts, the Health Information Trust Alliance has announced it will offer its Cyber Threat Xchange (CTX) free of charge. The program was established last year as an early warning system to accelerate detection of and response to cyber threats.

The system allows participating organizations to share indicators of compromise (IoC) through HITRUST's Cyber Threat Intelligence and Incident Coordination Center, which HITRUST then shares with the Department of Health and Human Services, which then funnels the information to others in the industry.

Dan Nutkis, CEO of HITRUST, said the formerly paid subscription was opened up for free last week because of an understanding that organizations felt the cost was an impediment to them getting information about potential threats hitting the industry more quickly.

"We felt it was necessary to remove any impediments that would limit access to that information, so we made the platform available free of charge," Nutkis said.

Anthem, in fact, was using the CTX as part of its cybersecurity process when it detected its recent breach, Nutkis said. Since HITRUST announced it would open the platform up for free, it's had about 750 companies sign up. While that sounds like a solid number, perhaps, Nutkis said the healthcare industry is a big one, and he'd ideally like to see more industry reaction.

The Anthem breach is startling, sure, but it's clear that even without that incident, industry is facing increased risk, and something has to change. The HITRUST board, which comprises healthcare leaders from across the country and is led by a management team, met late last year to discuss how to revamp its entire strategy to cyberthreats. Part of the strategy, Nutkis said, is to make the information it collects via the CTX more actionable and consumable.

"One of the things I think we've learned previously was the ability to take the information we were disseminating, and act upon it and use it required a higher level of maturity and sophistication," he said. "So part of what we can do with the exchange is to simplify the consumption process."

Currently, a participating healthcare entity might share data via the CTX indicating its system has been compromised, and then other participants in the system react to see if they've been breached also or change their security parameters to protect themselves. But ideally, the system would become smarter.

"I think what we're trying to do at this point is find ways to be more predictive or proactive," he said.

For the system to work at its optimal level, organizations involved really do have to be "sharing," Nutkis added.

"You've got to be contributing and not just consuming information," he said. "And to share, you've got to have a certain level of sophistication and maturity. There's no question that in the case of a cyber event, being able to communicate the indicators of compromise in a very timely manner is extremely important. It does allow other organizations to be able to utilize them to determine if they've been breached or protect against them."

The model does provide a level of anonymity to organizations, he said, meaning they can share IoCs with the CTX without necessarily identifying themselves as the organization reporting the threat. In the Anthem case, the IoCs were shared through the system without participants knowing at the time that it was Anthem doing the reporting. That can be important in encouraging organizations to share what they know, Nutkis said.

The other benefit to the CTX, he added, is that it tracks accuracy. That is, if organizations repeatedly share what they believe to be a threat, and it turns out to be nothing, the system reports that out. That's essential to a threat-detection system because if people start turning off alerts that are in fact important because the false alerts become more of a hindrance than a help, the sharing model fails.

"If implemented in the right way, it's a highly effective way for organizations to protect themselves," Nutkis said.