Preparation, collaboration lifts HHS through ransomware threat

When the recent ransomware threat hit the federal government, Tom Price, the secretary of the Department of Health and Human Services, jumped on a call with his technology executives to make sure the situation was under control.

Price’s participation was unexpected, but welcomed.

Adriane Burton, the chief information officer at Health Resources and Services Administration (HRSA) in HHS, said she was on several calls about WannaCry. She said one of the reasons HHS and HRSA fared so well was the planning it had done over the last few years to prepare for such an event.

“We knew about the event early on because of our security tools. We were really just well prepared and had robust processes and procedures in place,” said Burton on Ask the CIO. “Communication this time was really great at levels within HHS, both internally between the different operating divisions in HHS and also externally with the customers we support.”

Adriane Burton is the CIO for the Health Resources and Services Administration in the Department of Health and Human Services.

When indications of the attack started to emerge on a Friday, Burton said the chief information security officer community within HHS started having calls. HRSA dispatched some of its security folks to the HHS security operations center to help out with the challenge.

“We had different conference calls probably about every 5 hours in terms of what was the status, and then there were calls internally within HHS and also externally with different health care providers to make sure they were aware of the WannaCry as well,” she said.

Burton said HRSA’s cyber posture will continue to improve through new tools and capabilities under the continuous diagnostics and mitigation (CDM) program provided by the Homeland Security Department.

“Over the years, you are maturing your processes and procedures such as understanding what your inventory is and making sure everything is locked down,” she said. “It’s also about communication because cybersecurity cuts across different groups so making sure that there is that open communication and collaboration. You have those systems we are responsible for managing within HRSA, but just because we outsource or contract out different capabilities to vendors, it doesn’t mean we aren’t responsible for them. For instance, we had to reach out to the vendor who provides the National Practioner Data Bank. We have close communications with the organization that is responsible for the organ procurement system. Over the years, we’ve incorporated their information system security officer for these contracted systems in our bi-monthly meetings with the ISSOs within HRSA so when these situations occur you already have these working relationships with the organizations you need to reach out to.”

Like with cybersecurity, HRSA is relying on data to make better decisions in other mission areas too.

Burton said her office launched a business intelligence capability using Tableau software for its grants oversight system so HRSA can do predictive oversight.

HRSA also is in the process of updating its data warehouse to take even more advantage of those business intelligence tools.

“Our goal is to eliminate static PDF reports and provide flexible dashboards so they can be used internally at HRSA and externally by our customers,” she said. “Different state and local governments or health care organizations can access the data and use the data more flexibly.”

Burton said through the dashboards, HRSA and its partners will be able to take the data and marry it with other information from disparate sources more easily.

She said HRSA has a contract in place to support the data warehouse modernization project and it could take 12-18 months to complete.

HRSA recently kicked off another big data effort with the Veterans Affairs Department.

HRSA’s health center program supports 1,400 centers operating at more than 10,000 sites. VA asked HRSA what health centers existed in certain geographic regions.

“VA wanted access to our health center data to decide where to build new hospitals,” Burton said. “We have a tool right now called “Find a Health Center,” and so that is part of the data warehouse and part of that redesign effort will look at different types of information we can receive from other agencies and how potentially we can overlap that data.”

Burton said the merging of data is another 12-18 month effort.