After Change Healthcare, HHS building cyber incident response team

In the wake of the Change Healthcare ransomware attack, HHS has been expanding its "one-stop shop" for working with the healthcare sector on cyber issues.

The Department of Health and Human Service’s Administration for Strategic Preparedness and Response is considered HHS’ “one stop shop” for working on cyber issues facing the healthcare and public health sector.

But Brian Mazanec , deputy director in ASPR’s Center for Preparedness, said that doesn’t mean his organization is handling every health sector cybersecurity issue at HHS.

“It just means that we are playing that leading role, that quarterback role, in really marshaling all of the tools and resources the department brings to bear to support the sector, particularly for cybersecurity and cyber hazards,” Mazanec said in a recent interview. “Unfortunately, we’re seeing the threat continues to grow in frequency, sophistication, elements of the sector that are being hit, so there’s a lot of work to do here.”

The health sector is the top target for ransomware attacks, according to the FBI’s Internet Crime Complaint Center. The February ransomware takedown of payments provider Change Healthcare upended healthcare operations across the sector, shining a spotlight on cyber vulnerabilities in the sector and sparking calls for reform.

But even before the Change Healthcare ransomware attack, HHS had already laid out plans to expand ASPR and its role as the “sector risk management agency” for healthcare.

ASPR has since established a cybersecurity division within its Office of Critical Infrastructure Protection. Mazanec said the division is the focal point for ASPR’s cyber work with the sector. The division has hired an “initial tranche” of federal staff, he said.

One of the cyber division’s core responsibilities will be incident response, Mazanec said. When a cyber attack hits a major hospital, for instance, ASPR’s team will work with the FBI and the Cybersecurity and Infrastructure Security Agency to help respond and offer support.

Mazanec said ASPR can help hospitals grapple with how to address the fallout from a cyber incident, like the potential diversion of patients to other facilities.

“We come in and try to understand, well, what are the patient impacts, what systems are down, what things can we offer to potentially help or be monitoring, to maybe take further actions to again, blunt those patient impacts,” Mazanec said.

ASPR can also call on other parts of its organization, such as the HHS-sponsored Medical Reserve Corps, to help hospitals and other health organizations recover from a major cyber incident.

“They can be a great source of staffing support, because a lot of times when you go onto downtime procedures, you’re doing paper records, those kind of things that are much more manually intensive,” Mazanec said. “So we can help facilitate connections to local MRC units, who can potentially assist with staffing decompression as they manage those downtime procedures, which can go on for weeks unfortunately.”

ASPR is also using grant funding to drive cybersecurity improvements at facilities that receive funding under the Hospital Preparedness Program.

“With the most recent cooperative agreements and funding that we just dispersed some weeks ago to the coalitions, we were very intentional to build cyber into the notice of funding opportunity and into those cooperative agreements,” Mazenec said.

In addition to hospitals, Mazanec said ASPR is focused on third-party risks, such as the dangers posed by relying on large providers like Change Healthcare. He said ASPR is currently working on a new sector risk assessment as part of a new national security memorandum on critical infrastructure. 

“A key part of that is going to is looking at that systemic and third party risk,” Mazenec said. “And the NSM also directs us to develop a sector specific plan informed by that risk assessment . . .  That’s where we’ll grapple with, ‘OK, here’s what the risk posture looks like. What can we do to hit those critical entities and help them better, to make sure we’re as secure and resilient as possible across the ecosystem?'”

Another key facet of ASPR’s cyber division is “communication and education,” Mazanec said. That includes internal communication across HHS, where organizations ranging from the Office of Chief Information Officer to the Food and Drug Administration handle different aspects of healthcare cybersecurity.

But Mazanec said ASPR is also strengthening its proactive outreach efforts to the sector on cybersecurity issues. That includes encouraging the adoption of HHS’ voluntary cybersecurity performance goals, which were released in January.

HHS also recently shifted its public-private cybersecurity program, referred to as the “405(d) program,” under the auspices of ASPR. It had previous been run out of the office of the chief information officer.

The 405(d) program helps facilitate HHS’s work with the Health Sector Coordinating Council, a key public-private organization that works across the sector on cybersecurity issues.

“We’re in the process now of implementing that reorganization and plan to leverage the two different channels that those both had to have one bigger microphone, a better way to reach and collaborate with the sector, by bringing those pieces together that were very similar functions that I think will work better fully integrated,” Mazanec said.

Healthcare cyber requirements

Meanwhile, HHS’s Office of Civil Rights (OCR) handles the enforcement of privacy, security and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA).

But the HIPAA rules haven’t been updated in more than a decade. As part of the cybersecurity concept paper released last December, HHS said it would work to embed the cybersecurity performance goals as requirements into the HIPAA rule.

And  as part of its 2025 budget request, HHS also laid out plans for a new Medicare incentive program to encourage hospitals to adopt baseline cyber protections beginning in 2027. Beginning in 2029, HHS would begin penalizing hospitals for failing to meet cyber standards.

Meanwhile, Congress has also floated legislation that would establish new cyber requirements for the health sector.

While ASPR is not in charge of establishing cyber requirements, Mazenec said his organization is “part of the conversation” as the sector risk management agency.

“We are moving as quickly as we can with what is a very complicated ecosystem and landscape of different authorities,” Mazanec said. “We’re working with our colleagues on the Hill as they have discussions and consider any additional new authorities that might make sense in the space.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCDM

    Effective EDR: Balancing testing rigor and velocity

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    IoT-driven endpoint proliferation requires secure-by-design principles

    Read more