How to Share Cyber Threat Intelligence in Healthcare

The healthcare sector, one of the most critical components of global infrastructure, is constantly under siege from sophisticated cyber threats. As the use of technology in healthcare grows, so too does the urgency to protect sensitive patient data and ensure uninterrupted delivery of care. Sharing cyber threat intelligence (CTI) has emerged as a vital strategy for defending against these escalating risks. But what does effective information sharing look like in healthcare? What challenges exist, and how can organizations overcome them while safeguarding patient safety and reducing liabilities?

Based on a detailed discussion between cybersecurity experts John Banghart and Errol Weiss, this article delves into the transformative role of Information Sharing and Analysis Centers (ISACs), the dynamics of threat intelligence sharing, and actionable strategies for healthcare organizations to enhance their cybersecurity posture.

Understanding the Role of ISACs in Healthcare Cybersecurity

What are ISACs?

Information Sharing and Analysis Centers (ISACs) are organizations designed to foster collaboration and intelligence sharing among private sector organizations within a specific industry. Originating in the 1990s, ISACs were created to address vulnerabilities in critical infrastructure owned by the private sector. Today, there are 16 major critical infrastructure sectors, including healthcare, financial services, transportation, and energy.

The Health ISAC (Health Information Sharing and Analysis Center), established in 2010, offers a trusted platform for healthcare organizations to share threat intelligence, best practices, and operational insights. The goal is to collectively strengthen defenses against cyberattacks that could disrupt healthcare services or compromise patient safety.

Core Activities of ISACs:

• Encouraging anonymous, proactive information sharing to mitigate risks across the sector.
• Providing tactical, operational, and strategic intelligence, ranging from specific attack indicators (e.g., malicious IP addresses) to broader industry trends.
• Facilitating collaboration during cybersecurity incidents to minimize the impact on healthcare delivery.

sbb-itb-535baee

Types of Cyber Threat Intelligence Sharing: Tactical, Strategic, and Operational

1. Tactical Intelligence: Immediate Threat Indicators

Tactical information sharing involves actionable, specific details about cyber threats. Examples in the healthcare sector include:

• Malicious email subject lines or sender addresses.
• Indicators of compromise (e.g., suspicious IPs, file hashes, or attachment types).
• Malware techniques used in recent phishing attacks.

This data helps organizations detect and defend against threats in real-time, ensuring they remain resilient to current attack vectors.

2. Strategic Intelligence: Broader Trends

Strategic intelligence provides a high-level understanding of emerging trends and attack methodologies. For example:

• How threat actors are evolving their tactics using artificial intelligence.
• The latest scams or ransomware strategies targeting hospitals or medical device manufacturers.

By staying ahead of attackers’ innovations, organizations can better prepare for future threats that may affect their sector.

3. Operational Intelligence: Best Practices and Policies

Operational sharing facilitates the exchange of policies, procedures, and templates that organizations can adopt to improve their cybersecurity posture. Key examples include:

• Incident response playbooks.
• Templates for cybersecurity policies and processes.
• Survey insights on CISO reporting structures or budget allocations.

During crises, operational intelligence is equally important. For instance, in a ransomware scenario, healthcare organizations can learn from peers about effective mitigation tactics or recovery strategies.

Overcoming Barriers to Information Sharing in Healthcare

Despite the benefits of CTI sharing, many organizations hesitate to engage, citing fears of legal liabilities, regulatory repercussions, or exposure of sensitive information. These concerns are particularly acute in highly regulated industries like healthcare.

Addressing Legal and Compliance Concerns

1. Anonymity in Information Sharing
   Health ISAC enables members to share intelligence anonymously. Organizations can securely submit data without attribution, ensuring no identifying information is disclosed.
2. Legal Protections under CISA 2015
   The Cybersecurity Information Sharing Act of 2015 (CISA 2015) provided liability protections for organizations sharing threat intelligence with government agencies and ISACs. While this law expired in late 2025, its temporary renewal underscores the importance of advocating for its continuation. Regardless, ISACs have established mechanisms - such as non-disclosure agreements (NDAs) - to mitigate risks and encourage collaboration.
3. Fostering Internal Collaboration
   Effective sharing starts within the organization. CISOs and legal teams must align by defining what information can be shared. For example, specifics like IP addresses, general attack descriptions, or anonymized best practices rarely expose sensitive details but can still provide immense value to peers.

The Cultural Shift: From Isolation to Collective Defense

A critical mindset shift is required: organizations must view cybersecurity as a shared challenge. As one speaker noted, "It is effectively impossible for any one healthcare organization to keep up on their own." Collaboration is the only way to combat increasingly sophisticated cyber threats.

Lessons from Real-World Collaboration

Case Study: Financial Sector’s Defense Against DDoS Attacks

During the 2012 attacks by the "Al-Qassam Cyber Fighters", financial institutions faced unprecedented distributed denial-of-service (DDoS) attacks targeting banks’ online operations. By sharing attack indicators and mitigation techniques through the Financial Services ISAC (FS-ISAC), banks successfully minimized disruptions. This historic example underscores the power of collective defense in protecting critical infrastructure.

Healthcare Example: Ransomware and Patient Safety

Hospitals targeted by ransomware often face operational standstills, diverting patients and delaying critical care. In such scenarios, rapid sharing of attack details - such as whether the attack stemmed from a phishing email - can prevent cascading failures across neighboring healthcare facilities. A proactive approach can not only mitigate risks but also save lives.

Strengthening Public-Private Collaboration

The Health ISAC regularly collaborates with government entities like the Department of Health and Human Services (HHS), Cybersecurity and Infrastructure Security Agency (CISA), and law enforcement. These partnerships are invaluable during crises, ensuring swift communication and coordinated responses. For instance:

• Incident Response Coordination: ISACs act as a trusted intermediary, enabling healthcare organizations to report incidents to government partners while maintaining anonymity.
• Cross-Sector Exercises: Simulations involving healthcare, water, and energy sectors help identify interdependencies and refine responses to multi-sector disruptions.

Best Practices for Promoting Cyber Threat Intelligence Sharing

1. Involve Legal and Compliance Teams Early
   Engage internal legal counsel in tabletop exercises and information-sharing discussions to build trust and clarify boundaries.
2. Utilize Anonymous Sharing Mechanisms
   Take advantage of ISACs’ anonymity options to share intelligence without exposing sensitive organizational data.
3. Foster a Culture of Collaboration
   Break down silos between technical, legal, and leadership teams to align cybersecurity goals and strategies.
4. Participate in Sector-Wide Exercises
   Regular exercises can reveal weaknesses, strengthen response plans, and establish trust between organizations.
5. Leverage ISAC Membership Resources
   Access templates, surveys, and strategic insights to enhance your organization’s cybersecurity readiness.

Key Takeaways

• ISACs are critical enablers of cyber threat intelligence sharing, providing a trusted and secure platform for healthcare organizations to collaborate.
• Cyber threat intelligence spans tactical, strategic, and operational levels, offering actionable insights for immediate defense and long-term resilience.
• Legal concerns can be mitigated through anonymized sharing and proactive collaboration between CISOs and legal teams.
• Public-private partnerships strengthen defense capabilities, ensuring a coordinated response to healthcare-specific threats.
• Exercises are invaluable tools for fostering collaboration across internal departments and external partners.
• Healthcare organizations must adopt a collective defense mindset, recognizing the shared nature of cyber risks and the need for community-driven solutions.

Conclusion

In the face of a rapidly evolving threat landscape, the healthcare sector’s ability to protect patient data and ensure operational continuity hinges on effective collaboration. ISACs stand as vital hubs for sharing intelligence, fostering trust, and collectively raising the bar for cybersecurity. By embracing a proactive, informed approach to threat intelligence sharing, healthcare organizations can turn the tide against adversaries, safeguarding both their systems and the lives they serve.

Source: "Information Sharing in Health Care: Mitigating Risk and Enhancing Cooperation" - American Health Law Association, YouTube, Dec 16, 2025 - https://www.youtube.com/watch?v=2sRx96w1U70

Related Blog Posts

• From Reactive to Threat Intelligence-Driven Cybersecurity
• Network-Based & Community-Led Models
• “Crowdsourcing Confidence: How Community Data Lowers Cyber Risk”
• “The Power of Community-Leveraged Risk Intelligence”