Inside HHS’ ‘one-stop shop’ for health sector cybersecurity

The Department of Health and Human Service’s Administration for Strategic Preparedness and Response is considered HHS’ “one stop shop” for working on cyber issues facing the healthcare and public health sector.

But Brian Mazanec , deputy director in ASPR’s Center for Preparedness, said that doesn’t mean his organization is handling every health sector cybersecurity issue at HHS.

“It just means that we are playing that leading role, that quarterback role, in really marshaling all of the tools and resources the department brings to bear to support the sector, particularly for cybersecurity and cyber hazards,” Mazanec said in a recent interview. “Unfortunately, we’re seeing the threat continues to grow in frequency, sophistication, elements of the sector that are being hit, so there’s a lot of work to do here.”

The health sector is the top target for ransomware attacks, according to the FBI’s Internet Crime Complaint Center. The February ransomware takedown of payments provider Change Healthcare upended healthcare operations across the sector, shining a spotlight on cyber vulnerabilities in the sector and sparking calls for reform.

But even before the Change Healthcare ransomware attack, HHS had already laid out plans to expand ASPR and its role as the “sector risk management agency” for healthcare.

ASPR has since established a cybersecurity division within its Office of Critical Infrastructure Protection. Mazanec said the division is the focal point for ASPR’s cyber work with the sector. The division has hired an “initial tranche” of federal staff, he said.

One of the cyber division’s core responsibilities will be incident response, Mazanec said. When a cyber attack hits a major hospital, for instance, ASPR’s team will work with the FBI and the Cybersecurity and Infrastructure Security Agency to help respond and offer support.

“We come in and try to understand, well, what are the patient impacts, what systems are down, what things can we offer to potentially help or be monitoring, to maybe take further actions to again, blunt those patient impacts,” Mazanec said.

ASPR can also call on other parts of its organization, such as the HHS-sponsored Medical Reserve Corps, to help hospitals and other health organizations recover from a major cyber incident.

“They can be a great source of staffing support, because a lot of times when you go onto downtime procedures, you’re doing paper records, those kind of things that are much more manually intensive,” Mazanec said. “So we can help facilitate connections to local MRC units, who can potentially assist with staffing decompression as they manage those downtime procedures, which can go on for weeks unfortunately.”

Another key facet of ASPR’s cyber division is “communication and education,” Mazanec said. That includes internal communication across HHS, where organizations ranging from the Office of Chief Information Officer to the Food and Drug Administration handle different aspects of healthcare cybersecurity.

But Mazanec said ASPR is also strengthening its proactive outreach efforts to the sector on cybersecurity issues. That includes encouraging the adoption of HHS’ voluntary cybersecurity performance goals, which were released in January.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.