CommHIT Information Sharing & Analysis Centers (ISACs)

The Population Health Information Sharing and Analysis Center (PH-ISAC) and the Community & Transportation ISAC (C&T-ISAC) provide businesses and organizations solutions to meet regulatory requirements, reduce cyber risk, and identify cyber threats.

CommHIT’s ISACs help participating organizations reduce their risk of a cybersecurity-related breach. Digital security threats are too diverse and dynamic for any organization to handle alone. Organizations can manage their risk and protect their patients by joining the Population Health ISAC (PH-ISAC) or the Community & Transportation ISAC (C&T-ISAC) to reduce the chances of a cybersecurity-related breach happening. If a member organization ever has a cybersecurity-related breach, CommHIT’s ISACs help with incident reporting and ensures the organization avoids federal penalties/liabilities.

What’s an ISAC?

An ISAC is an organization for the analysis and sharing of information regarding cybersecurity risks and incidents. 

The Cybersecurity Act of 2015 (CSA) also ensures that private entities sharing information with ISACs in accordance with CSA receive liability protection from the federal government.

Could my organization be penalized by the federal government for sharing information with an ISAC?

Executive Order 13691 is designed to PROTECT all ISAC members against being penalized as they share information regarding cyber-related breaches, interference, compromise, or incapacitation.

Who does the PH-ISAC help?

The PH-ISAO prioritizes the cyber-readiness needs of safety net facilities and health systems (e.g., Community Health Centers, behavioral health centers, rural hospitals, community hospitals) as these facility types increasingly are sharing data with larger entities and one another. The Health Care Industry Cybersecurity Task Force “Report on Improving Cybersecurity in the Health Care Industry” highlights the risks of including smaller providers in health information exchanges (HIEs), a key vehicle for interoperability:

“A potential attack profile starts with the compromise of a smaller health delivery organization where the attacker increasingly exploits vulnerabilities until they acquire valid credentials necessary to gain access to a health information exchange and/or partner hospitals. While information security is often combined within IT budgets and remain flat or decrease each year because of competing priorities within the environment, the patient/industry is at great risk of a cyber attack that could seriously impact the safety of patient.”

What does the PH-ISAC do?

  • Helps participating organizations identify and mitigate  security gaps , and
  • Providing monitoring to reduce data breach risk
  • Reduces breach response time and severity, if a breach ever occurs
  • Provides liability protections through the Cybersecurity Act of 2015
  • Conducts cyber and data security awareness training and workforce development
  • Helps participants comply with state and federal regulatory and privacy requirements and recommendations (e.g., NIST Cybersecurity Framework, HHS 405(d) Health Industry Cyber Practices and other HHS 405(d)-approved recommendations, HIPAA data security compliance, IT risk management)

What is the Digital Health Net Program?

Digital Health Net is the flagship program provided by the PH-ISAC to shore up the cyber posture of safety net medical facilities and entities that they connect to. Digital Health Net does this by:

  • strengthening the workforce with tailored training
  • assessing security risks
  • helping organizations follow a risk management approach tailored to assessment findings
  • monitoring for threats and vulnerabilities, and
  • assisting with information sharing and incidence response

PH-ISAC offers the Digital Health Net because safety net providers are required to follow the same technology regulations as large health systems, yet they have fewer resources (human and financial) to successfully do so.

Who does the C&T-ISAC help?

The C&T-ISAC prioritizes the cyber-readiness needs of transportation agencies, smart city program, and related organizations as they increasingly collect, transmit, and use data.

What does the C&T-ISAC do?

  • Assists with: evaluating security risk, mitigating  identified security gaps and vulnerabilities, and providing monitoring to reduce data breach risk
  • Reduces breach response time and severity, if a breach ever occurs
  • Develops needed Digital Security Plans for your technology-driven mobility programs and cyber-physical systems
  • Provides liability protections through the Cybersecurity Act of 2015
  • Conducts cyber and data security awareness training and workforce development
  • Helps your entity comply with state and federal regulatory and privacy requirements and recommendations (e.g., NIST Cybersecurity Framework, PCI standard security compliance, IT risk management plans)