- HHS has opened its Health Sector Cybersecurity Coordination Center (HC3), which will be a healthcare cybersecurity threat analysis and incident response partner to the private sector.
HC3 replaces the Healthcare Cybersecurity and Communications Integration Center (HCCIC), which has had a troubled history since its founding in May of last year.
HHS said that HC3 will work to strengthen coordination and cybersecurity information sharing within the healthcare sector and promote cybersecurity resilience. It will provide cybersecurity intelligence to health organizations and develop strategic partnerships between these organizations.
“HHS is proud to work with the health community to better protect Americans’ health data and confidential information,” HHS Deputy Secretary Eric Hargan said in opening HC3. “Today’s announcement is a recognition of the importance we place on stakeholder engagement as part of our cybersecurity work.”
HHS said that HC3’s role will be to work with the healthcare sector, including practitioners, organizations, and cybersecurity information sharing organizations, to understand the threats it faces, learn the attackers’ patterns and trends, and provide information and approaches on how the sector can better defend itself from cyberthreats.
The US government has designated the Department of Homeland Security (DHS) as the lead organization to combat cybersecurity threats against industry and develop preventive strategies across the entire economy. HHS has been given the role of focusing on cyberthreat information sharing within the healthcare and public health sector.
“We believe that when a risk is shared across sectors, the only way to manage that risk successfully is to manage it collectively,” said DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra.
“We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information, and the heightened importance of sharing information cannot be stressed enough. The HC3 is a vital capability for the early detection and coordination of information between the private sector and the federal government, and with cyber professionals across the federal government.”
In May of last year, then HHS Chief Information Security Officer Christopher Wlaschin announced the the setting up of HCCIC. He explained that it would be modeled after DHS’s National Cybersecurity and Communications Integration Center and would provide grants to the National Health Information Sharing and Analysis Center (now called just the Health Inforamtion Sharing and Analysis Center) to encourage broad industry participation. Wlaschin resigned his position as HHS CISO in March of this year.
HCCIC issued a number of advisories about cyber threats to the healthcare sector. In June of 2017, HCCIC warned the healthcare industry about vulnerabilities in the Windows operating system and threats coming from the North Korean Hidden Cobra group.
“These vulnerabilities allow an attacker to remotely run programs or attacks on systems,” HCCIC stated at the time. “This could allow an attacker to perform a wide range of actions including exfiltrating documents or data, or gain access to other internal systems via the local network once initial access is gained.”
In January of this year, HCCIC issued two advisories about the Spectre and Meltdown vulnerabilities in computer processors and the potential threats they posed to healthcare organizations, in particular medical devices.
“Medical devices and supporting medical equipment, may not resemble computers, but may run operating systems (Windows, Linux, etc.) on processors that could be vulnerable to Meltdown and Spectre,” HCCIC explained. “Contact medical device manufacturers through security portals, if available, for information specific to each medical device and the manufacturer’s recommendations for patching medical devices.”
However, in June Congress sent a letter to HHS Secretary Alex Azar questioning him about the lack of information on the HCCIC in the department’s Cyber Threat Preparedness Report (CTPR).
The letter said that the removal of two senior HHS cybersecurity officials last fall had left HCCIC leadership in limbo. The two officials were Margaret Amato, who was director of the HCCIC, and Leo Scanlon, who was deputy chief information security officer and designated senior advisor for public health sector cybersecurity.
The removal of these officials “has had undeniable impacts on HCCIC and HHS’s cybersecurity capabilities,” the letter noted.
“The HCCIC’s surprise announcement, initial success, and subsequent troubles, combined with the inadequacies in the CTPR, have exacerbated the very issues that CISA [Cybersecurity Information Sharing Act] was intended to address. HHS’s decision to present to our Committees a report that was outdated, incomplete, and inaccurate raises concerns about HHS’s ability to address the growing number and severity of cyber threats facing the health care sector,” the letter observed.
HHS appears to have gone in a different direction with the opening of HC3 this week. The department said that HC3 will collaborate closely with H-ISAC, NCCIC, and other partners to refine its cybersecurity offerings through feedback and consultations.