HHS' Cyber Info Sharing Center: Is It Needed?Senators, Others Question Whether Efforts Will Be Duplicative
Does the healthcare sector need another cyber threat information sharing center? That's a question some U.S. senators and others are asking.
The Department of Health and Human Services plans to formally open this summer the Health Cybersecurity and Communications Integration Center, or HCCIC, which has already begun some operations. But Sen. Claire McCaskill, D-Missouri, questioned at a June 21 hearing whether the center is necessary in light of many other cyber threat information sharing efforts already underway.
For example, the Department of Homeland Security and its National Cybersecurity and Communications Integration Center encourages many industries to share threat information. In addition, the National Health Information Sharing and Analysis Center and the Healthcare Information Trust Alliance, or HITRUST, are spearheading healthcare-specific information sharing efforts.
In a May 18 statement, HHS explained to Information Security Media Group that HCCIC "is one of HHS' efforts to achieve the legislative requirements outlined in the Cybersecurity Act of 2015. HCCIC establishes the mechanism to provide proactive and anticipatory analysis of cyber threats to both HHS and the Healthcare and Public Health Sector."
The HCCIC will act as a clearinghouse to drive healthcare-relevant cyber indicators, briefings and actionable intelligence to and from a wide variety of stakeholders, both public and private, according to HHS.
But McCaskill at the June 21 hearing questioned those plans. "We have spent years working to make DHS the central cybersecurity information sharing entity in the federal government ... But now, HHS has decided that the NCCIC and the existing information sharing structure have limitations," she said. "Rather than examining what the private sector was doing to address potential gaps, HHS went ahead and built a health-specific version. ... Talk about duplicative.
While some industry insiders say creating another way that cyber threat information can be shared is a good idea, given the current environment, others agree with McCaskill's assessment.
"Cyber info is not specific to healthcare. Someone may focus a threat toward the healthcare sector, but the underlying exploits or techniques would be common to any targeted industry," says John Houston, CISO of the University of Pittsburgh Medical Center.
But one potential benefit to the HHS effort, Houston acknowledges, is that the agency may be able to translate information in a manner that healthcare providers -especially smaller ones - can understand. "The problem is that those small healthcare providers still may not be able to act on the information."
Senators Question HHS
McCaskill and Ron Johnson, R-Wisconsin, sent a June 21 letter to HHS Secretary Tom Price asking more questions about the planned center.
Among the questions posed are how HCCIS will interact with DHS' NCCIC and affect the services already offered by other healthcare sector initiatives, and how safe harbor liability protections in the Cybersecurity Act apply to entities that share information only with HCCIC.
Pros and Cons
Jim Routh, CISO of health insurer Aetna and chairman of the NH-ISAC - which also provides cyber information sharing capabilities - contends that plans for HCCIC are a good move. "We believe it is a positive development for both HHS and the health sector," Routh tells ISMG.
"The NH-ISAC worked collaboratively with the HHS and the HCCIC on the WannaCry incident. ... Sharing the intelligence and results of the malware reverse engineering helped the NH-ISAC Threat Intelligence Community identify the five appropriate controls for mitigation that was then shared with all members," he notes.
Routh contends the new HCCIC will potentially expand cyber threat information sharing in the healthcare industry, rather than be duplicative of efforts at NH-ISAC or HITRUST.
"The level of information sharing on cyber in the healthcare sector today is substantially below what is necessary for the level of resiliency required to adequately protect healthcare information for consumers," Routh says. "It is worth noting that the level of information sharing has improved substantially in recent years. Specific efforts to improve information sharing with healthcare providers have improved significantly in the past year with more resources focused on the provider segment, which has a diversity of technology combined with an increasing size of the attack surface and limited security resources."
Mac McMillan, president of security consulting firm CynergisTek and a former information security director at the Department of Defense, says HHS should play a role in threat information sharing.
"It probably does not make sense to replicate resources that exist within the government, such as the DHS NCCIC, but HHS is better positioned to be coordinator/communicator to the healthcare sector," he says.
But in testimony at the June 21 Senate hearing, HITRUST Executive Director Daniel Nutkis offered skepticism about the role of HHS' new HCCIS.
HITRUST, which has worked closely with the DHS's NCCIC, was "surprised to learn that the HHS recently established its healthcare-specific cybersecurity communication center to focus its efforts on analyzing and disseminating cyberthreats across the healthcare industry," Nutkis testified.
"We believe [HCCIC] raises some important issues, as it appears the role of the HCCIC parallels the intended role and capabilities of ISAOs."
The role of information sharing and analysis organizations is to support cyber information sharing to a particular sector or segment, as well as engage with the federal government. HITRUST serves as an ISAO.
Concerns About Overlap
Phil Curran, CISO of Cooper Health System in Camden, N.J., says he too was surprised to hear of HHS' plans to launch HCCIC, and that he's concerned about potential overlap with ongoing efforts elsewhere.
"I usually say the more information I have the better for my analysis," he says. "However, if they are going to provide information from sources I already monitor, for example HITRUST, NH-ISAC, NCCIC, etc., they would not provide much value to me, especially since some of these already gather and analyze information from multiple sources."
Curran adds: "I have no plans to drop [my participation in] either NH-ISAC or HITRUST when HCCIC opens - [but] budgets may say otherwise."
Curt Kwak, CIO of Proliance Surgeons, a large surgical practice in Washington state, and former CIO of Washington state's health insurance exchange under the Affordable Care Act, sees both pros and cons to HCCIC.
"We always would like to see quicker responses and more detailed information from the existing bodies. However, we also empathize with the challenges that a federal body faces," he says. "The sensitivity in what data/information to share and also the timing of the data share are critical enough where they need to take time to ensure the most critical needs are met. There's no guarantee that an HHS-based HCCIC will be more efficient nor more helpful for the industry. ... A healthcare specific NCCIC would be welcomed by me, personally."