HHS Tries Again: New Cyber Coordination Center LaunchedAgency Went Back to the Drawing Board After Initial Effort Got Off to Rocky Start
After an initial effort got off to a rocky start, the Department of Health and Human Services has started over, making a second attempt at launching a cyber coordination center that aims to help the healthcare sector improve its defenses and boost information sharing. But will the latest effort prove successful?
The Health Sector Cybersecurity Coordination Center, or HC3, replaces HHS's Healthcare Cybersecurity and Communications Integration Center, which was launched in 2017 but proved to be controversial. The creation of that previous HHS cyber center confused and surprised some members of Congress. And it was stained by management and staff turmoil.
"There are organizations that still think sharing any information with HHS can cause a regulatory action to occur. ... I hope with the launch of the HC3 we will continue to make progress."
—Erik Decker, University of Chicago Medicine
Security experts are hoping that the new HC3 will get off to a better start and eventually clear up confusion about HHS' role in healthcare sector cyber defense activities.
Cyber Information Sharing
HHS says that while Department of Homeland Security is the lead organization to combat cyber threats, HHS' role is to "focus cybersecurity support on information sharing within the healthcare and public health sector."
The mission of the new center, an HHS spokeswoman tells Information Security Media Group, "is to support the defense of the sector's data and information systems by coordination and information sharing within the sector and cultivating cybersecurity resilience, regardless of an organization's technical capacity."
The spokeswoman says HC3 will:
- Provide timely, relevant and actionable intelligence on cybersecurity threats;
- Promote organizational capacity within the sector through best practices and expert guidance;
- Foster a cybersecurity community through partnerships and collaboration.
"HC3 will continue to collaborate closely with our partners, including HHS' Office of the Assistant Secretary for Preparedness and Response, the Health Information Sharing and Analysis Center [formerly called the National Health-ISAC], and DHS' National Cybersecurity and Communications Integration Center, or NCCIC, to continue to develop and refine our cybersecurity offerings through feedback and consultations," she says.
H-ISAC President Denise Anderson tells ISMG her organization will continue to closely collaborate with HHS on information sharing.
"The H-ISAC has been actively engaged with the HCCIC and now the HC3," she says. "We will continue to work with HHS as well as our other strategic partners in government and industry to support the sector with situational awareness, threat mitigation and incident response."
The ability of HHS to respond to cyber incidents is critically important, and in the past year has been limited, says Jim Routh, chief security officer at health insurer Aetna and an H-ISAC board member. "Coordination across the sector in collaboration with DHS is essential and represents an opportunity for continuous improvement. This [HHS] announcement represents a step forward, but the healthcare sector needs more maturity in capability. The H-ISAC has always and will always support the HHS commitment toward cyber incident response."
HITRUST, best known for its Common Security Framework, also has been working for several years with the federal government, including HHS and DHS, in healthcare sector cyber threat information sharing activities - and plans to continue that work.
"The longstanding arrangement is that DHS is the civilian lead on cybersecurity. HHS is taking a direct and active role in conjunction with DHS to address the needs of the HPH sector," says Carl Anderson, HITRUST's chief legal officer and senior vice president of government affairs.
"We have been in discussions with HHS since the very beginning and continue to actively lead the sector in information sharing. We will continue to play an active role with the new center."
Original Effort Was Controversial
Experts says that HC3's predecessor - HCCIC - played an important role in helping to keep the U.S. healthcare sector informed during the global WannaCry ransomware attacks in May 2017. HHS activated the HCCIC a month early to deal with the crisis.
But HCCIC proved to be controversial, and some senior staffers were removed.
A bipartisan group of Senate and House committee leaders sent a letter in June to HHS Secretary Alex Azar raising concerns about HHS cyber-related activities, including the lack of clarity about whether HHS's HCCIC "still exists, who is running it, or what capabilities and responsibilities it has."
The creation of HCCIC came as a surprise to Congress last year, the letter notes. "The HCCIC was announced during a panel appearance in April 2017 by the then-HHS CISO, who stated, 'HHS is building a healthcare information collaboration and analysis center, just like DHS' NCCIC, only focused on healthcare," the letter says.
But the letter notes that by September 2017, "HHS temporarily reassigned two senior officials responsible for the day-to-day operation of the HCCIC to unrelated duties. Memoranda provided to the affected officials stated the reassignments were to 'permit the agency time to review allegations raised against the Office of the Chief Information Officer, Office of lnformation Security.' HHS's removal of senior HCCIC personnel has had undeniable impacts on HCCIC and HHS's cybersecurity capabilities."
In an Oct. 4 response letter to the committees, HHS says it formed HC3 "to enhance HHS' ability to analyze cyber threat information and communicate how emerging threats and vulnerabilities might impact health care. HC3, in coordination with relevant HHS divisions and offices, has produced and disseminated executive and technical summaries on emerging cyber threats that are applicable to a wide range of health care audiences."
HHS notes that HC3 developed these products based on information received from a broad range of sources, "including private sector organizations, the National Health Information Sharing and Analysis Center and [DHS'] National Cybersecurity and Communications Integration Center. These products are distributed to healthcare industry partners through the critical infrastructure protection partnership maintained by the Office of the Assistant Secretary for Preparedness and Response."
The opening of the new center hasn't yet erased all industry confusion about the roles various HHS units play in healthcare cybersecurity, says Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine. Decker is also advisory board chairman for the Association for Executives in Healthcare Information Security, or AEHIS, a unit of the College of Healthcare Information Management Executives.
"I'm encouraged by the continued focused on cybersecurity by HHS," he says. The previous center - HCCIC, "played a pivotal role during the WannaCry national response - they really gave the threat urgency and validity," he says.
Decker stresses, however, that the industry and HHS "are going to need to continue to work together to reduce the confusion between enforcement activities and non-enforcement activities. There are organizations that still think sharing any information with HHS can cause a regulatory action to occur. ... I hope with the launch of the HC3 we will continue to make progress."
Having the HC3 aligned with DHS' NCCIC makes sense, Decker says, "as duplicating the NCCIC and ISACs is wasteful and won't be effective. Healthcare needs special focus on how to reach out to the smaller and medium-sized organizations to manage these cyber threats, and I believe the HC3 can assist with that, while also providing validity to certain threats that the whole industry needs to take seriously."
Help for Sector
Some industry observers are hopeful HC3 will prove to be more successful than its predecessor.
"Hopefully the HHS HC3 will become the fusion center that takes in reports and information from all over healthcare providing that to the DHS and then returning actionable threat information and defense measures that healthcare organizations can use to better protect themselves from the threat," says Mac McMillan, CEO of security consultancy CynergisTek. "DHS analysis will only be as good as the information it receives from the various departments, so hopefully HC3 will forge a proactive partnership with healthcare to provide timely information about threats and measures to mitigate risk."
McMillan says he's also hopeful that confusion about HHS' role in cybersecurity activities will be somewhat alleviated with DHS now designated at as the executive agency in charge, along with the clarification of HC3's role. But other confusion will likely persist, he contends.
"Unfortunately, healthcare has a number of entities, including private-sector organizations, both national and regional, who are purporting to be ISAOs [Information Sharing and Analysis Organizations] or threat centers. While it's always useful to have multiple information sources - if you have the analytical capacity to evaluate them- it can also be confusing as to what is the real source of truth or actionable intelligence."
HC3 will play an important role in early detection and coordination of information among the private sector and federal government, says Jeanette Manfra, DHS assistant secretary for cybersecurity and communications in a statement.
"We believe that when a risk is shared across sectors, the only way to manage that risk successfully is to manage it collectively," she says. "We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information - and the heightened importance of sharing information cannot be stressed enough."
To address cyber threats, HC3 will coordinate cyber threat information sharing activities across the sector and offer reports to DHS on threats, profiles and preventive strategies, HHS notes.
"HC3's role is to work with the sector, including practitioners, organizations and cybersecurity information sharing organizations, to understand the threats it faces, learn the bad guys' patterns and trends, and provide information and approaches on how the sector can better defend itself."