The Department of Health and Human Services (HHS) will officially open its healthcare-specific cybersecurity communication center by the end of the month, according to HHS officials, after withstanding an unexpected test run during last month's ransomware attack.
Leo Scanlon, deputy chief information security officer at HHS told members of the House Energy and Commerce Subcommittee on Oversight and Investigations that the Healthcare Cybersecurity Communications Integration Center (HCCIC) will have “initial operational capability” by the end of June.
Scanlon said the Department of Homeland Security, which operates the National Cybersecurity and Communications Integrations Center (NCCIC), recommended HHS open their own version specifically for the healthcare industry. HCCIC will focus its efforts on analyzing and disseminating cyberthreats across the healthcare industry in real time.
Officials gave HCCIC a test drive last month, using it to respond to the WannaCry ransomware attack that shut down NHS hospitals and spread rapidly across the globe. In written testimony (PDF), Scanlon indicated that HCCIC was “an integral part” of the Office of the Assistant Secretary for Preparedness and Response’s (ASPR) response by providing “analysis on the WannaCry threat and its impact on healthcare.” The center produced one-page resource documents to provide assistance for small and medium-sized hospitals with few cybersecurity resources, an approach the agency plans to replicate in the future.
Scanlon added that the HCCIC was built “essentially out of hide” by reallocating money from existing programs and tying in some additional IT spending. Moving forward, the goal is for the center to receive line-item funding in annual budgets.
HHS has also developed a new approach to its IT budget planning process. CIOs throughout HHS have signed an agreement that makes IT security a primary focus across the agency and in the workplan for each of the agency’s CIOs.
“We are reimagining or reorganizing the way we deal with cybersecurity so we have the strongest and most effective use of resources we have,” Scanlon said.
Much of the hearing focused on the HHS Cybersecurity Task Force report released last week. Witnesses highlighted some of the critical gaps facing the industry when it comes to information sharing, a debilitating cybersecurity workforce shortage, and ensuring small and medium-sized providers have the resources to respond to a ransomware attack like WannaCry.
Effectively addressing cyberthreats goes well beyond government oversight and requires buy-in from both public and private industries. In a call hosted by the Atlantic Council Thursday afternoon, Emery Csulak, chief information security officer and senior privacy official at the Centers for Medicare and Medicaid Services and the co-chair of the Health Care Industry Cybersecurity Task Force, stressed that the success of cybersecurity improvements in healthcare rely on public-private partnerships.
“The testimony this morning focused on what HHS is doing, but roughly half of action items from that report are focused on what industry could be doing,” he said.