HHS’ ASPR playing ‘quarterback’ for cyber response, resilience

Brian Mazanec, the deputy director of the Office of Preparedness in HHS’ ASPR, said they are implementing several initiatives under its year-old strategy.

As the threat of cyber attacks against public and private sector healthcare organizations continues to increase, the Department of Health and Human Services is bringing in some help.

As the healthcare sector risk management agency for cybersecurity, HHS over the last year has matured its cyber tools and how it coordinates across government and with the private sector.

Brian Mazanec, the deputy director of the Office of Preparedness in the Administration for Strategic Preparedness and Response in HHS, said the agency is adding muscle to its cyber protections.

Brian Mazanec is the deputy director of the Office of Preparedness in the Administration for Strategic Preparedness and Response in the Department of Health and Human Services.

“Just a little over a year ago, that coordination was occurring, but not as smooth as it needed to be. We took some steps, and actually now have a Public Health Service, captain, or an 06 officer, permanently embedded within the National Cyber Investigative Joint Task Force, that the FBI leads. We have a HHS ASPR person embedded full time with the FBI agents and other law enforcement folks who work in that task force and really are dealing with very sensitive information and responding to cyber incidents in the healthcare sector every day,” said Mazanec on Ask the CIO. “That’s just another example where we’ve really tightened up and continue to mature our partnership with the FBI. We do work with the other health focused entities like the Veterans Affairs Department, the Defense Health Agency, certainly within HHS, with the Indian Health Service  and with the Centers for Medicaid and Medicare Services.”

Of course, ASPR also is closely aligned with the Cybersecurity and Infrastructure Security Agency as the federal lead for the sector coordinating agencies as well as the HHS chief information officer’s office and other cyber-related organizations across the agency.

The cyber coordinating council’s efforts are becoming more important than ever as the number of cyber threats and attacks have skyrocketed. The Office of the Director of National Intelligence reported that in 2023 healthcare organizations in the U.S. faced an increase of 128%t more ransomware attacks than the previous year. Worldwide ransomware attacks against the healthcare sector have steadily increased and nearly doubled since 2022, reaching a total of 389 victims in 2023 compared with 214 in 2022.

Mazanec said ASPR’s role is to “quarterback” the cyber incident response capabilities by convening partners within the department, across the government and among the private sector.

That leadership effort is underpinned by a four-pronged strategy ASPR laid out about a year ago.

Mazanec said the six-page document aims to lay out a plan to close current and future gaps in the healthcare sector as well as ensure HHS is providing these hospitals and clinics the support they need to lower their risks and be resilient to attacks.

The four pillars of the strategy address:

  • Establishing voluntary cybersecurity performance goals for the healthcare sector
  • Providing resources to incentivize and implement these cybersecurity practices
  • Implementing an HHS-wide strategy to support greater enforcement and accountability
  • Expanding and maturing the one-stop shop within HHS for healthcare sector cybersecurity

Mazanec said HHS has completed most of the near term goals to establish voluntary cyber performance goals.

“It was the need for better guidance for the sector on what are the most high impact cybersecurity practices to implement. If you’re a small hospital CISO and you’re struggling to know where to start and you’ve got the National Institute of Standards and Technology cybersecurity framework, the cross-sector cybersecurity performance goals and HIPPA, where do you start?” he said. “There was a lot of confusion. What’s the what’s the true north for the sector? What are the most high impact practices? The first pillar of the strategy was to develop healthcare specific cybersecurity performance goals. We have done that and we published those in January.”

HHS asked for additional cyber funding

HHS detailed 10 essential goals like multi-factor authentication and basic incident planning and preparedness. It also outlined 10 more enhanced goals like having an asset inventory and network segmentation.

Mazanec said the other three pillars are a work in progress.

For the second pillar, HHS worked with the White House to add specific funding requests for the fiscal 2025 budget submission. These included a $1.3 billion request for a program led by CMS to provide resources directly into the healthcare sector for cybersecurity.

“Another example that is specific to ASPR is we have the hospital preparedness program, which is a roughly $240 million program that provides that amount in funding to healthcare coalitions, mostly state based, but some are for large metropolitan areas as well, to help them engage in preparedness activities that may not just be cyber specific, but really for a range of scenarios,” he said. “We were very intentional because of this strategy when we were preparing for the notice of funding opportunity for this hospital preparedness program, which went out a few months ago, and we’ve actually just recently announced the awards, including building an entirely new cyber component, so recipients are now going to use those funds, among other things, to practice downtime procedures and in the wake of a cyber incident within their healthcare coalition, to do a risk assessment and a gap analysis focused on those healthcare specific cybersecurity performance goals.”

One-stop shop under construction

Under the third pillar around accountability, Mazanec said giving healthcare organizations more money is good, but they also have to be held accountable of using that money to actually take steps to secure their systems and data.

He said ASPR is looking across the department at what levers and capabilities could be applied more robustly.

“One example that we’ve talked about publicly is an update to the Office of Civil Rights HIPAA Security Rule, which is underway. That is an enforcement tool the department has to ensure that covered entities take appropriate steps to protect themselves from a cyber perspective,” Mazanec said. “We’re also looking at others where we can push the sector from an accountability perspective.”

The fourth pillar, building a one-stop shop within HHS received a timely boost recently when the agency helped respond to the Change Healthcare ransomware attack.

Mazanec said ASPR asked for $12 million additional dollars in the 2025 request to begin to build that one-stop shop capability.

“That’s going to help us both have folks to be sector ambassadors where they will reach out and engage on an education perspective across the country. They will push these existing resources that we’ve developed, these best practices and do risk assessment activities. They also really help give us more capability on the incident response side too,” he said. “There’s still going to be a lot of expertise in other parts of HHS like FDA, for example, for medical device cybersecurity and some of the capabilities in OCIO on the technical side. We’ll continue to hopefully build those out there and leverage them so it still is very much a team effort across the department, but ASPR will play that that enhanced one stop shop role.”

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories