House Committee Hearing Sheds Light On HHS Approach to Healthcare Cybersecurity

May 18, 2023 - At a House Committee on Energy and Commerce hearing, experts from the energy, water, and healthcare sectors testified on how sector-specific agencies within critical infrastructure are taking steps to protect their industries from cyberattacks.

Each of the 16 critical infrastructure sectors has a designated Sector Risk Management Agency (SRMA) that is responsible for managing threats faced by each sector. The hearing gave committee members a chance to explore how various federal agencies work to secure critical infrastructure against cyber threats, assess their responses to emerging threats, and learn more about the roles and responsibilities of each agency.

Brian Mazanec, PhD, deputy director at the HHS Administration for Strategic Preparedness and Response (ASPR) Office of Preparedness, delivered both a spoken and written testimony to the committee on the growing threats facing the healthcare sector and the role of HHS in mitigating these threats.

ASPR serves as the healthcare sector’s designated SRMA, coordinating with a variety of agencies across HHS, including the Food and Drug Administration (FDA), the HHS 405(d) Program, the Office for Civil Rights (OCR), and the Office of the National Coordinator for Health Information Technology (ONC).

“Working as a team, all HHS agencies and divisions bring together their unique cybersecurity perspectives, expertise, and authorities as a single collaborative effort to assist the HPH sector, from direct engagement with the HPH sector on cybersecurity activities to collaborative regulatory actions with the goal of HPH sector protection,” Mazanec’s written testimony stated.

“For example, OCR collaborates with ONC on development of and enhancements to the Security Risk Assessment (SRA) Tool that provides small- and medium-sized HPH sector organizations a tool to identify and assess security risks to health information within their organizations. HHS is best positioned to serve as SRMA for the HPH sector, as we leverage existing relationships in the regions and with HPH sector partners and utilize our resident expertise in the Department.”

Mazanec mentioned a variety of recent HHS efforts aimed at cybersecurity, including the 2023 edition of the Health Industry Cybersecurity Practices (HICP), the Hospital Resiliency Landscape Analysis, and the Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide.

The written testimony also highlighted HHS’ ongoing collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and with public-private partnerships such as the Health Sector Coordinating Council (HSCC).

Mazanec emphasized the agency’s commitment to collaboration, the development of new risk mitigation resources, and the role of HHS in responding to cyber incidents in the sector. However, Mazanec also acknowledged ongoing challenges with mitigating cyber risk and the need for a bigger budget to tackle these risks.

“HHS is working diligently to strengthen cyber security and address the impacts of cyberattacks on the health care system. As we move forward, there are additional authorities and resources that would advance ASPR’s ability to fully implement its plan to bolster HHS’s cyber SRMA activities,” Mazanec wrote.

“For example, we are in the process of establishing a dedicated Cyber Division within ASPR’s Office of Critical Infrastructure Protection. If ASPR is granted direct hire authority, as requested through the Pandemic and All-Hazards Preparedness Act (PAHPA) reauthorization process, we would be able to bring critical staff with cyber expertise into the organization more quickly and move forward to address challenges without delay.”

Mazanec also suggested that this authority would put ASPR in a better position to immediately expand its efforts as the SRMA for the healthcare sector.

“Additionally, we are looking to establish a new HHS cyber incident ticketing system to better track incidents and strengthen threat intelligence sharing through embedded liaisons within CISA and the FBI,” Mazanec continued.

“Dedicated resources are needed to implement and operate supporting systems, as included in the FY 2024 President’s Budget request. We continually assess and identify whether any additional authorities are needed to support our role as SRMA for the HPH sector, and I look forward to working with all of you if any other needs arise.”