Congress Considers Ways to Beef Up Healthcare CybersecurityAt Hearing, and in Letter, Concerns Raised About Confusion Over HHS's Role
As part of efforts to bolster the nation's readiness to deal with health disasters and emergencies - natural and man-made - Congress is considering beefing up the focus on healthcare sector cybersecurity issues in legislation to reauthorize the Pandemic and All-Hazards Preparedness Act, which was enacted in 2006.
A Wednesday hearing of the House Energy and Commerce Committee's Subcommittee on Health focused on bipartisan draft legislation, the Pandemic and All-Hazards Preparedness Reauthorization Act of 2018 introduced by Rep. Susan Brooks R-Ind., and Rep. Anna Eshoo, D-Calif.
The legislation seeks to beef up the nation's ability to prepare for and respond to health threats from infectious diseases, bioterrorism, chemical attacks, radiological emergencies and cybersecurity incidents.
But the effort to bolster healthcare sector cybersecurity requires addressing confusion about who's ultimately responsible for cybersecurity within the Department of Health and Human Services.
Among proposals being considered is shifting and centralizing more responsibilities for responding to cyberthreats to the Office of the Assistant Secretary for Preparedness and Response, or ASPR, within HHS.
For instance, the legislation proposes moving the Strategic National Stockpile of antibiotics, vaccines, other critical drugs and medical supplies from the Center for Disease Control and Prevention to ASPR.
But it also seeks to clarify the cybersecurity responsibility of ASPR. For instance, the bill proposes moving the HHS Healthcare Cybersecurity and Communications Integration Center, HCCIC, from HHS's Office of the CIO to ASPR.
A CISO Testifies
Right now, there's confusion about the status of HCCIC as well as the cybersecurity roles of various agencies at HHS - and that's hindering many healthcare organizations from participating in cyber intelligence sharing, testified Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine. He's also advisory board chairman for the Association for Executives in Healthcare Information Security, or AEHIS, a unit of the College of Healthcare Information Management Executives.
Decker noted in his written testimony that the Cybersecurity Information Sharing Act of 2015 contained a provision for HHS to issue a clear statement defining the official within HHS who is responsible for leading and coordinating cybersecurity efforts.
But today, healthcare sector entities "cite confusion about who leads HHS's cybersecurity programs and the correct way to communicate with the department concerning cybersecurity-related issues," he testified. "Additionally, AEHIS members cite concern about sharing information that might elicit an enforcement action from the regulatory arm of HHS."
Within the last year, the healthcare industry has faced some significant cybersecurity attacks, the CISO noted. "Attacks like WannaCry in May of 2017 have demonstrated the necessity of being prepared for a national cybersecurity attack against our healthcare industry," he testified.
Decker testified that when the healthcare sector experienced the WannaCry attacks, HHS "acted rapidly." That response was spearheaded by the ASPR and the HCCIC, he noted.
"The HCCIC rapidly disseminated information about the worldwide threats and hosted calls often lasting several hours open to the industry for the purpose of information sharing," Decker testified. "The speed at which HHS acted and their inclusive approach of healthcare delivery organizations of all types and sizes should be commended."
He also noted, however, that "the HCCIC has since been the source of confusion for providers. Specifically, confusion exists regarding the purpose of the HCCIC, the Department of Homeland Security-run National Cybersecurity and Communications Integration Center, and the existing industry Information Sharing and Advisory Centers and Information Sharing and Advisory Organizations."
Healthcare CISOs are confused about who leads HHS's cybersecurity programs and the correct way to communicate with the department concerning cybersecurity-related issues, Decker testified. "Additionally, AEHIS members cite concern about sharing information that might elicit an enforcement action from the regulatory arm of HHS," he said.
Letter to HHS
The hearing came one day after a bipartisan group of Senate and House committee leaders sent a letter to HHS Secretary Alex Azar raising similar concerns about HHS cyber-related activities, including the lack of clarity about whether HHS's HCCIC "still exists, who is running it, or what capabilities and responsibilities it has."
In fact, the creation of HCCIC came as a surprise to Congress last year, the letter notes. "The HCCIC was announced during a panel appearance in April 2017 by the then-HHS CISO, who stated, 'HHS is building a healthcare information collaboration and analysis center, just like DHS' NCCIC, only focused on healthcare," the letter notes.
The letter adds that Congress has been seeking clarity from HHS. "Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS's efforts to address the HCCIC's status."
The letter also raised concerns about HHS's cyber threat preparedness report, which was submitted as required by Congress. The report lacked clarity on the status of HHS's role in cybersecurity, the letter contends.
"On April 27, 2017, HHS delivered the [report] to the House Committee on Energy and Commerce and the Senate Committee on Health, Education, Labor & Pensions. This report was intended to clarify HHS's internal roles, responsibilities and preparedness to address cyber threats in the health care sector. Since the preparation and delivery of the [report], however, HHS has continued to alter its cybersecurity strategy," the letter states.
"While the [report] provided a high-level overview of the cybersecurity responsibilities of each HHS office and operating division, the report omitted or lacked sufficient detail on many outstanding issues," the letter says.
During his testimony, Decker offered several suggestions for alleviating confusion as well as bolstering cybersecurity in the healthcare sector.
"We need a system of prevention and response that is similar to the disease prevention and infection control practices within the healthcare industry," he testified.
"This system should encourage and incentivize the adoption of standard cyber hygiene practices, just as our clinicians do with washing our hands, and be capable of coordinating large-scale emergency response to cyber threats as HHS has done with Ebola and Zika outbreaks. Specifically, we feel that ASPR with combination with the right cybersecurity expertise, capabilities and funding will serve as the right impartial partner to serve to help bolster the industry's cyber capabilities."
He said that ASPR should:
- Encourage the adoption of the National Institute of Standards and Technology's cybersecurity framework and soon-to-be-released top 10 best security practices within healthcare;
- Stress the importance of sharing technical cybersecurity threat intelligence through the National Health Information Sharing and Analysis Center and ensure this information is protected from regulators;
- Offer enforcement relief for organizations that demonstrate the adoption of the cyber framework and best practices and participate in NH-ISAC; and
- Establish a national response program in partnership with NH-ISAC and potentially with DHS that is capable of facilitating a response to cyber threats.
HHS did not immediately respond to an Information Security Media Group request for comment.