HHS remakes cyber threat center to have external focus


The Department of Health and Human Services is trying to clear up any confusion and refocus its efforts to help the health care sector protect itself from cyber attacks.

HHS transitioned the Healthcare Cybersecurity and Communications Integration Center (HCCIC) to the Health Sector Cybersecurity Coordination Center (HC3). HHS launched the HCCIC in 2017.

And the timing couldn’t be better. Fortinet’s recent analysis of cyber threat data found healthcare organizations experienced more than twice the number of attacks on average as compared to other sectors. The company found in 2017 that on average healthcare organizations faced 32,000 intrusion attacks per day, which is more than double the amount average organizations in other sectors faced.

Additionally, the Food and Drug Administration signed a memorandum of agreement with the Homeland Security Department in October to implement a new framework to improve coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats.

Advertisement

“Under the agreement, DHS will continue to serve as the central medical device vulnerability coordinating body and interface with appropriate stakeholders, including consulting with the FDA for technical and clinical expertise regarding medical devices. The DHS’ National Cybersecurity and Communications Integration Center (NCCIC) will continue to coordinate and enable information sharing between medical device manufacturers, researchers and the FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to DHS,” wrote Suzanne Schwartz, M.D., M.B.A., the FDA’s associate director for science and strategic partnerships at the Center for Devices and Radiological Health, in a blog post on Nov. 1. “The FDA will continue to engage in regular, ad hoc and emergency coordination calls with DHS and advise DHS regarding the risk to patient’s health and potential for harm posed by identified cybersecurity threats and vulnerabilities.”

Basically the actions by HHS, including the FDA, and DHS are all about getting the best, most useful cyber threat intelligence to the healthcare providers, companies and other stakeholders as soon as possible, and in the most valuable way.

HHS cyber center’s new approach

Janet Vogel, the acting chief information security officer at HHS, said the HC3 is taking on this broad goal in a much different way than its predecessor, the HCCIC, did.

“As we worked with stakeholders to evolve this concept, we heard a need to focus on external sector functions. This led us to shift our focus, which helped us clarify our customer base,” Vogel said on Ask the CIO. “As originally conceived, the HCCIC was viewed as a health sector organization similar to the NCCIC at DHS. So our HHS HCCIC had both external sector coordination and internal security functions. The focus on the national health sector led us to rename the organization to the Health Sector Cybersecurity Coordination Center (HC3). We also hope the name change will eliminate any confusion with the NCCIC, which is run by our partners at DHS.”

Janet Vogel is the acting chief information security officer at HHS.

The way HHS set up the HCCIC led to mission overlap and confusion, and eventually frustration by lawmakers.

Vogel said while the HC3 remains part of HHS’s operational organization, it is not focused on internal cybersecurity. She said it does, however, take information collected by agency bureaus or by other federal partners and shares them with external stakeholders.

“We are able to network across the health care sector, both with federal partners and private sector partners, to share information,” she said. “This gives us a stronger ability to hunt and to track threats. We also share information across the entire network that we built. That allows us to begin the analysis of the data sooner and share what a potential impact could be.”

Additionally, the HC3 will work closely with the Veterans Affairs Department and the Defense Health Agency to collect, share and coordinate on cyber threats to the healthcare sector.

“We’ve been meeting with them on a regular basis and shared our ideas, including the name change, which was very well received,” Vogel said. “We’ve kept them up-to-date on the types of things we are doing, what we are looking at, and our reporting to them has improved. We’ve built our relationships for communications, which expedites any transfer of information, which helps our partners react just in case there is a threat that comes up.”

Lessons from WannaCry

The HC3 bigger impact, however, will be with external stakeholders. Vogel said HHS is building on its experience with the WannaCry incident in 2017.

“Through that experience, we’ve learned HHS can come together as an organization to combat health sector threats and effectively handle national cybersecurity incidents. We demonstrated the ability to link internal analysis and findings with external communications to protect the health sector,” she said. “That experience also provided us with lessons learned on how to improve our efforts. And as a result, we improved our operating procedures, our outreach capabilities and we build positive relationships with healthcare sector organization such as Health Information Sharing and Analysis Center (HISAC) and HITRUST. We even became a little bit more efficient in cybersecurity analytics and our response methods.”

Vogel said the HC3 has a watch floor with HHS employees such as the inspector general, and eventually will include representatives from other organizations, which Vogel said provides insight into what’s important for those organizations or sectors.

“Through our network, we have a view of more than 1.2 million end points across the country. We watch specifically for any anomalies in behavior and if there are any alerts, we can dig into those and look at the cause,” she said. “Our sharing of information is through our secure email activity with listserves of multiple organizations and users. We hope by getting the word out that we are very active in this area and more people will join so we can share this information with more and more people. The information we are sharing is unclassified so it can be used by just about anybody.”

Vogel said over time the HC3 wants to create a feedback loop to know what alerts and advice helped and what didn’t. Then the HC3 can adjust its products so the healthcare sector can improve their cybersecurity.