HHS pushes better cybersecurity across the health sector

Between constant ransomware and medical device software scares, the health care sector has become a scary place for cybersecurity. Now the Health and Human Services...

Between constant ransomware and medical device software scares, the health care sector has become a scary place for cybersecurity. Now the Health and Human Services Department HHS) is asking organizations in the health care sector to adopt what it calls “high-impact cybersecurity practices.” For details, the Federal Drive with Tom spoke with Brian Mazanec, HHS deputy assistant secretary and director of the Office of Security, Intelligence, and Information Management.

Interview Transcript: 

Tom Temin And we should point out you’re back in your role at HHS rather than your prior role at the Government Accountability Office. So nice to see people move around and still be on the show. And this is the issuing organization for these standards as the administration for Strategic Preparedness and Response. What’s coming from whom here?

Brian Mazanec The administration for Strategic Preparedness and Response, or ASPR, is an operating division within HHS that is focused on assisting the country in preparing for and responding to, and recovering from public health emergencies and disasters. The role we play as it pertains to cybersecurity is we serve as the lead for the department’s role as Sector and Risk Management Agency, or SRMA, for the health care and public health, HPH sector. So there’s 16 critical infrastructure sectors that have been designated the health care, and public health one is one of them. And we serve as sort of that quarterback or belly button within the department. We don’t do everything across the department. There are other key players like the Food and Drug Administration for medical devices, but we coordinate all of that as the SRM may lead and are the central, quote unquote, one stop shop for the department in doing so.

Tom Temin And there have been some highly celebrated, highly recognized ransomware attacks on health care delivering organizations, hospitals. Is this part of what’s prompting the idea of cybersecurity performance goals?

Brian Mazanec Absolutely. So while we’ve been doing a number of things to try to help the health care and public health sector bolster its cybersecurity posture, to be able to deal with these threats, the threats themselves have been increasing in intensity and sophistication, particularly, as you mentioned, ransomware attacks. We’re focused on all things related to cybersecurity in the sector, and obviously any malicious activity is of concern. But the ransomware attacks are particularly concerning because they lock down certain systems within a hospital, for example, and demand payment or a ransom. And when they do so, they really pose an immediate threat to patient health and safety. So imagine going to a hospital or an emergency room. And if they can’t use the MRI machine or access your electronic medical records to know you’re allergic to an penicillin. And obviously the consequences there are pretty acute. And we believe cybersecurity is patient safety. And we’re very focused on that. But to your question, absolutely, the ransomware activity has been increasing year over year. I just saw this morning that, this was not specific to our sector, but broadly across the board. An industry report came out that identified that the victims of ransomware attacks paid over $1.1 billion in 2023, and that’s compared to about 570,000,000 in 2022. So criminal actors, there are state actors in the mix in the healthcare and public health sector in particular, for reasons I kind of just alluded to, is particularly vulnerable. There’s a lot of pressure to, frankly, pay the ransom. So it’s a sector that has historically paid, and it’s also a place where you have a lot of legacy medical devices, a very complicated environment, a sector that is also especially some of the rural and critical access. Hospitals really don’t have big margins.

Tom Temin I wanted to ask you this, too. We learned a couple of years ago in the Colonial Pipeline episode that there is a connection, a crossover between operational technology, which has traditionally maybe not been on the internet, and the information systems that are on the internet in sectors. It sounds like that’s true in the health care sector. Also, you’ve got this big operational hospital device complex, but then they have standard information systems with everybody on email, etc..

Brian Mazanec It’s an incredibly complicated environment. You have billing as well, which is very important for the hospital system. So any of those systems are affected. And often with a ransomware attack, if an actor gets into it, they will move in a parallel way across systems to if they have that ability and will lock down multiple thing. It won’t necessarily just be the x ray machines, for example, that are down, but it’s a broader consequence for the system. And we’ve seen, unfortunately, more and more ransomware attacks that aren’t targeting a single hospital or a health care delivery organization. We see those, but we’re seeing attacks that are affecting hospitals, networks that are multi-state in dozens of hospitals. So very, very concerning. And that’s why to go back to the cybersecurity performance goals, that’s why we felt like we needed to do more. And that department is undertaking a number of steps to level up our activity to better support the sector as this threat increases.

Tom Temin We are speaking with Brian Mazanec, deputy director of the Office of Preparedness at HHS. That’s at Health and Human Services. Therefore, what are the standards you’re pushing and how are you getting the word out to the organizations?

Brian Mazanec We have heard, as we’ve worked with our partners in the sector itself and elsewhere. We’ve heard that there’s a need to harmonize cybersecurity standards, says confusion over which standards to follow, which apply most directly to the health care and public health sector. So we undertook this effort in partnership with industry. This was informed by their input on on other efforts and products that we’ve developed in the past to develop these health care in public health sector cybersecurity performance goals. They’re intended to provide both a floor, as well as an advanced level of guidance that is clear, accessible at all and all different levels. You don’t have to necessarily be an IT administrator to pick these up and use them to minimum standards that address a number of the threats that we’ve seen based on our work in the sector. So you can be better able to prevent, and then if you are affected by a ransomware attack, respond to and recover from those attacks. And we break them into essential goals, which, again, are kind of sort of that floor that are the baseline that we think everyone in the sector should adhere to. These are voluntary, but we think these are good best practices. And then we have those enhanced goals which are for the better resourced or more capable entities to really do even more to prepare for these kind of cyber attacks.

Tom Temin And by the way, as more health organizations offer telehealth, that kind of mixes the ecosystems of their own and those of everybody that could be on a telehealth session.

Brian Mazanec Yes, absolutely. And these cybersecurity performance goals for the sector will help in all of those context. They will harden systems in a variety of ways to protect the sector.

Tom Temin And do you have tailored, let’s say, standards for some small clinic that has maybe three medical doctors there, and a few nurses and a couple of administrators, versus a mass general type of situation.

Brian Mazanec Yeah. So the essential goals are really targeted to those less well resourced or smaller entities. The sort of the again, the floor really the place to start if you need to make more progress in this area. Something that informed our development of the cybersecurity performance goals is another resource we’ve developed called the HICP for Healthcare Industry Cybersecurity Practices Guide, which we developed jointly with industry. And we mapped the CPGs directly to those, as well as other existing guidance. So again, to simplify we show how this is all connected, and they culminate in this one reference that you can pick up and know what to do. But the HICP, which informed a lot of this actually also breaks out a lot of its resources. It’s how to guide by large and small entity. So it’s another way, if you’re small, to know where do you get started in this space. And we mapped in the CPG document itself, we mapped with links directly to all those resources to make it as user friendly as possible. Because again, we heard from the sector, there needs to be simplicity here, need to understand what you need to do and eliminate some of the noise and confusion in this space.

Tom Temin Because in theory, there is one ecosystem, just like how many roads are there in the United States. Well, just one, because they’re all connected and you can drive anywhere to anywhere. And as more interdependent technologies, such as through the electronic health records, come among health care organizations, something happens at a local clinic and all of a sudden you’re in a hospital. Your electronic record goes there. There’s much more, I guess, chance for cross fertilization of malware happening in the sector.

Brian Mazanec Yeah, absolutely. I think it’s an ecosystem is the right word for it. And we do see some of the same ransomware actors attacking the same vulnerability repeatedly in different entities, which is again, why one of our first is they actually the first essential goal that you’ll see when you look at the CPGs is mitigating known, exploited vulnerabilities to reduce the likelihood of an actor rippling through multiple hospitals that all have the same vulnerability, because for whatever reason. So absolutely, it’s an ecosystem. And there are also cross-sector dependencies, too. So if the power sector goes out, that has an effect as well. We work closely with our interagency partners, the other sector risk management agencies on that front as well.

Tom Temin And you said they’re voluntary. Of course, these are organizations that are in the private sector. Is there any kind of incentive that you can give them? Do they get a gold star to put on the door? Hey, we’re cyber secure.

Brian Mazanec Yeah, great point. Again, we really want to emphasize these are voluntary cybersecurity practices that we think will help our partners understand the key practices to secure their systems, improve their cybersecurity. But we know we need to do more to encourage and support their adoption. So this was actually, if you go back to December, we rolled out a new roadmap for the department. This rollout of the cybersecurity performance goals and CPGs was one of four pillars of our new roadmap. The others, and they’re all sort of interlocking and mutually supporting. The second pillar was to provide more resources to incentivize the implementation of these practices. So we are working right now with Congress to obtain new authority and funding to administer financial support and incentive for domestic hospitals to implement these high impact cybersecurity practice. That was the second pillar of the strategy. So they’re very much interconnected.

Tom Temin And by the way, just as an aside. What is the progress of electronic health records in the industry relative to, say, ten, 12 years ago?

Brian Mazanec Yeah, there’s enormous adoption, and it’s been a tremendous journey. The perverse kind of dynamic, though, unfortunately, as we’ve taken advantage of that and pushed the adoption of EHRs across the enterprise. That does make it harder for entities to navigate a cybersecurity ransomware attack that locks down the EHR. So, again, going back to the cyber security performance goals, one of the things on the enhanced goals pertains to the incident planning and preparedness, which is all about consistently maintaining drilling, updating your cyber incident response plans, which should include how you operate on downtime procedures with paper records. So if your system is locked out, how do you provide essential care? And for some new physicians and medical providers, that’s a new thing for them that they need to really learn and exercise. So that is also, again, as another example, something that’s embedded inside these cybersecurity performance goals to prepare you to navigate that paper driven world that many folks aren’t familiar with because of the success of the EHR adoption.

Tom Temin Yes, I remember when the main piece of information technology that a doctor would have was a fountain pen.

Brian Mazanec Yeah, sometimes that’s a critical tool in navigating a ransomware attack.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories