- Congress is taking HHS to task about problems with the department’s cybersecurity threat report required by the Cybersecurity Information Sharing Act of 2015.
The HHS Cyber Threat Preparedness Report (CTPR) “omitted or lacked sufficient detail on many outstanding issues,” charged a June 5 letter from the chairmen and ranking members of the House Energy and Commerce Committee and the Senate Health, Education, Labor, and Pensions Committee to HHS Secretary Alex Azar.
“As cyber threats to the health care sector increase in frequency and severity, it is imperative that HHS provide clear and consistent leadership and direction to the sector regarding cyber threats,” the lawmakers wrote.
The letter was signed by Rep. Greg Walden (R-OR), chairman of the House committee, Rep. Frank Pallone Jr. (D-NJ), the committee’s ranking member, Sen. Lamar Alexander (R-TN), chairman of the Senate panel, and Sen. Patty Murray (D-WA), the panel’s ranking member.
HHS is both the healthcare sector regulator and the sector specific agency (SSA) tasked with providing industry guidance on critical infrastructure protection.
“HHS must make clear how it plans to carry out this dual role and clearly communicate that plan to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions,” they wrote.
The report did not clarify when HHS will act as a regulator and as an SSA in dealing with healthcare organizations. In addition, the report did not document HHS policies and procedures for responding to cybersecurity incidents that involve multiple HHS operating divisions or offices, the lawmakers judged.
“For example, a cybersecurity incident may initially affect a health care provider’s electronic health records, requiring a response from the Office of Civil Rights or the Office of the National Coordinator. If such an incident also compromised medical devices, the Food and Drug Administration likely would need to respond as well,” the letter observed.
The lawmakers expressed concern about the lack of information in the report about the Healthcare Cybersecurity and Communications Integration Center (HCCIC), which HHS announced in April 2017 would be established along the lines of the DHS’s National Cybersecurity and Communications Integration Center (NCCIC).
Last fall, two senior cybersecurity officials as HHS were abruptly removed from their positions, leaving the HCCIC leadership in limbo. The two officials were Margaret Amato, who was director of the HCCIC, and Leo Scanlon, who was deputy chief information security officer and designated senior advisor for public health sector cybersecurity.
The removal of these officials “has had undeniable impacts on HCCIC and HHS’s cybersecurity capabilities,” the letter noted.
“The HCCIC’s surprise announcement, initial success, and subsequent troubles, combined with the inadequacies in the CTPR, have exacerbated the very issues that CISA was intended to address. HHS’s decision to present to our Committees a report that was outdated, incomplete, and inaccurate raises concerns about HHS’s ability to address the growing number and severity of cyber threats facing the health care sector,” the letter observed.
The lawmakers directed HHS to take the following actions by June 19:
• Update the CTPR to include changes, modifications, and evolution in HHS cybersecurity strategies
• Include in the updated report a detailed explanation of the HCCIC, its roles and responsibilities, how its work and operations intersect with the NCCIC and the National Health Information Sharing and Analysis Center (NH-ISAC), and how it fits into the department’s broader cybersecurity capabilities and responsibilities
• Add sections to the CTPR addressing: internal coordination between HHS operating divisions and offices that have regulatory authority over healthcare cybersecurity; role of HHS in securing its own internal information systems as compared to its role in providing guidance, information, education, training, and assistance to the healthcare sector; and the challenges HHS faces as both the healthcare sector regulator and the SSA, including how it will differentiate and transition between these roles
• Provide the expected date for the release of the healthcare cybersecurity best practices, which CISA directed HHS to develop in collaboration with other government officials and healthcare industry stakeholders
Erik Decker, chief security and privacy officer at the University of Chicago Medicine and advisory board chairman of the Association for Executives in Health Information Security (AEHIS), told the House Energy and Commerce Committee during a June 6 hearing that the HCCIC has been a “source of confusion” for the healthcare community.
“Specifically, confusion exists regarding the purpose of the HCCIC, the Department of Homeland Security (DHS) run National Cybersecurity and Communications Integration Center, and the existing industry Information Sharing and Advisory Centers (ISACs) and Information Sharing and Advisory Organizations (ISAOs),” he observed in written testimony.
Decker also said that AEHIS members are confused about who leads the HHS cybersecurity programs and who is the contact person at HHS about cybersecurity-related industry concerns. Members are also concerned that sharing cyber threat information with HHS might prompt enforcement action from the agency’s regulatory arm.
He supported designating the Office of the Assistant Secretary for Preparedness and Response (ASPR) at HHS as the SSA for the healthcare sector.
“Having an impartial agency, such as ASPR, coordinate the intersection of cybersecurity challenges relating to medical devices and two regulatory bodies (FDA and OCR) would be incredibly beneficial for the industry. Navigating the guidance gaps and intersections today hinders the ability for industry to be nimble at its protection and response,” Decker argued.
In oral testimony, Decker proposed four actions ASPR should take to improve cybersecurity in the healthcare sector:
- Encourage industry adoption of the NIST Cybersecurity Framework and the cybersecurity best practices for the healthcare sector developed by the CISA-directed task force
- Bolster the importance of sharing technical cybersecurity threat intelligence information through the NH-ISAC and ensure the information is protected from regulators
- Offer enforcement relief for organizations that demonstrate the adoption of the Cybersecurity Framework, the cybersecurity best practices, and participation in NH-ISAC
- Establish a national response program in partnership with NH-ISAC and possibly DHS that can facilitate the industry response to a national cybersecurity threat.
Decker related that the task force, for which he served as co-lead, would be delivering the healthcare cybersecurity best practices to the HHS secretary for dissemination to the industry by the end of 2018.