Despite mounting criticism over the Department of Health and Human Services’ new cybersecurity communications center, one IT think tank believes the government’s healthcare-specific approach to threat-sharing will raise the stakes for the entire industry.
HHS officially launched its Healthcare Cybersecurity Communications Integration Center (HCCIC) in June after test-driving it during the WannaCry attack in May. During a hearing before the House Energy and Commerce Subcommittee on Oversight and Investigations in June, HHS' deputy chief information security officer told lawmakers the Department of Homeland Security (DHS), which operates its own National Cybersecurity Communications Integration Center (NCCIC), recommended HHS form its own spinoff to improve threat-sharing across the healthcare sector.
Not everyone is on board with that approach. In a subsequent Senate hearing, Health Information Trust (HITRUST) Alliance CEO Daniel Nutkis argued that the HCCIC duplicates efforts within both DHS and the private sector. Two senators later sent a letter (PDF) to HHS Secretary Tom Price asking him to clarify the agency’s plans to integrate the HCCIC with other federal initiatives.
But a detailed report (PDF) authored by James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, argues that the approach is a “quantum leap forward” to support cybersecurity efforts throughout healthcare, which has been “the most gaping wound among all critical infrastructure silos.”
Rather than duplicating efforts from DHS, Scott argued the HCCIC is a needed resource for healthcare organizations of all sizes, and any “minor redundancies” only serve as “secondary checks and communication channels” to protect patient information. He argued that cybersecurity self-regulation has failed within the industry, as evidenced by the growing number of attacks and data breaches.
Instead, he said HCCIC offers “real leadership and powerful collaboration” that could elevate the industry’s cybersecurity infrastructure.
“Without the HCCIC, the success of the NCCIC will be dependent on the avarice and will of private companies who are more interested in market incentives than the security posture of the sector,” Scott wrote. “It will not succeed in its mission to secure the [healthcare and public health] sector because negligent ‘self-regulating’ coalitions of large corporations will institute minimalistic checkbox frameworks that deter liability instead of ensuring security and leverage their status as information gatekeepers against small and mid-size entities.”