HHS looks to create ‘one-stop shop’ for healthcare cybersecurity

Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.

HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.

“We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.

Mazanec noted that ASPR leads HHS’ work as the “sector risk management agency” for the healthcare and public health sector.

But several other HHS organizations also play significant roles in managing different healthcare cybersecurity risks. The HHS Office of the Chief Information Officer includes a “Health Sector Cybersecurity Coordination Center (HC3).” The Food and Drug Administration regulates the cybersecurity of medical devices.

The Centers for Medicare and Medicaid Services (CMS) has played a major role in offering assistance to the healthcare sector following the Change Healthcare incident. Meanwhile, HHS’ Office of Civil Rights investigates data breaches involving protected health information. OCR recently launched an investigation into the Change Healthcare hack.

“There’s too many doors into cybersecurity when engaging with the federal government generally, let alone HHS,” Mazanec said. “Within HHS, there are a lot of different players. So we’re in the process now of really establishing this front door through ASPR to all of those resources.”

Meanwhile, lawmakers are asking questions about the federal response to the Change Healthcare incident. The breach has been called the “most serious of its kind” in the healthcare sector. The ransomware attack on the claims processor in late February forced it to take down its systems. That has led to payment and claims processing delays across the healthcare sector.

In a March 25 letter, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) asked HHS what it was doing to prevent similar incidents in the future. And he urged HHS and the Cybersecurity and Infrastructure Security Agency to launch a campaign “to engage and inform health care entities and the public of cybersecurity best practices and resources available to them.”

The healthcare sector is the top target for ransomware attacks, according to the most recent report from the Internet Crime Complain Center. The Biden administration has called for regulating the cybersecurity of critical infrastructure, including the health sector. CISA recently issued proposed cyber incident reporting rules for all 16 critical infrastructure sectors.

Moving forward, Mazanec said HHS will continue to carry out a new cybersecurity strategy for the health sector detailed by ASPR in a December white paper.

The white paper calls for incentivizing cybersecurity best practices, establishing voluntary goals for the healthcare sector, and acting through CMS to propose new cybersecurity requirements for hospitals.

And it also lays out the rationale for making ASPR the “one-stop shop” for cybersecurity at HHS.

“A one-stop shop will enhance coordination within HHS and the Federal Government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more,” the white paper states. “ASPR has the response expertise and capabilities appropriate for helping the sector navigate and access the array of cybersecurity supports available from HHS and across the federal government.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.