Information Sharing & Analysis Organizations (ISAOs)

The Population Health Information Sharing and Analysis Organization (PH-ISAO) and the Community & Transportation ISAO (C&T-ISAO) provide businesses and organizations solutions to meet regulatory requirements, reduce cyber risk, and identify cyber threats.

What’s an ISAO?

An ISAO is an organization for the analysis and sharing of information regarding cybersecurity risks and incidents. Some may have heard the term “ISAC.” An ISAC is a sector specific type of ISAO.

The Presidential Executive Order 13691 (2015) defined and expanded ISAOs so that ANY entity or agency of ANY size or type nationwide may be able to share information related to cyber risks and incidents and collaborate to respond in as close to real-time as possible.

Under Presidential Executive Order 13691, ISAOs are to:

  • Voluntarily disseminate critical cyber and related information
  • Communicate critical cyber and related information to help prevent, detect, mitigate or recover from the effects of a cyber systems’ interference, compromise or incapacitation
  • Analyze cyber-related information to ensure critical digital systems’ availability, integrity and reliability

Could my organization be penalized by the federal government for sharing information with an ISAO?

Executive Order 13691 is designed to PROTECT all ISAO members against being penalized as they share information regarding cyber-related breaches, interference, compromise, or incapacitation.

The Cybersecurity Act of 2015 (CSA) also ensures that private entities sharing information with ISAOs and ISACs in accordance with CSA receive liability protection from the federal government.

Who does the PH-ISAO help?

The PH-ISAO prioritizes the cyber-readiness needs of safety net facilities and health systems (e.g., Community Health Centers, behavioral health centers, rural hospitals, community hospitals) as these facility types increasingly are sharing data with larger entities and one another. The Health Care Industry Cybersecurity Task Force “Report on Improving Cybersecurity in the Health Care Industry” highlights the risks of including smaller providers in health information exchanges (HIEs), a key vehicle for interoperability:

“A potential attack profile starts with the compromise of a smaller health delivery organization where the attacker increasingly exploits vulnerabilities until they acquire valid credentials necessary to gain access to a health information exchange and/or partner hospitals. While information security is often combined within IT budgets and remain flat or decrease each year because of competing priorities within the environment, the patient/industry is at great risk of a cyber attack that could seriously impact the safety of patient.”

What does the PH-ISAO do?

  • Assists organizations with completing Security Risk Assessments (SRAs), mitigating  security gaps identified by the SRA, and providing monitoring to reduce data breach risk
  • Reduces breach response time and severity, if a breach ever occurs
  • Provides liability protections through the Cybersecurity Act of 2015
  • Conducts cyber and data security awareness training and workforce development
  • Helps you comply with state and federal regulatory and privacy requirements and recommendations (e.g., NIST Cybersecurity Framework, HIPAA data security compliance, IT risk management plans)

What is the Digital Health Net Program?

Digital Health Net is the flagship program provided by the PH-ISAO to shore up the cyber posture of safety net medical facilities and entities that they connect to. Digital Health Net does this by:

  • strengthening the workforce with tailored training
  • performing SRAs
  • helping organizations follow a risk management approach tailored to SRA findings
  • monitoring for threats and vulnerabilities, and
  • assisting with information sharing and incidence response

PH-ISAO offers the Digital Health Net because safety net providers are required to follow the same technology regulations as large health systems, yet they have fewer resources (human and financial) to successfully do so.

Who does the C&T-ISAO help?

The C&T-ISAO prioritizes the cyber-readiness needs of transportation agencies, smart city program, and related organizations as they increasingly collect, transmit, and use data.

What does the C&T-ISAO do?

  • Assists with: completing Security Risk Assessments (SRAs), mitigating  security gaps identified by the SRA, and providing monitoring to reduce data breach risk
  • Reduces breach response time and severity, if a breach ever occurs
  • Develops needed Digital Security Plans for your technology-driven mobility programs and cyber-physical systems
  • Provides liability protections through the Cybersecurity Act of 2015
  • Conducts cyber and data security awareness training and workforce development
  • Helps your entity comply with state and federal regulatory and privacy requirements and recommendations (e.g., NIST Cybersecurity Framework, PCI standard security compliance, IT risk management plans)