- HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) is a critical step toward improving healthcare cybersecurity and will also augment the Department of Homeland Security’s own National Cybersecurity and Communications Integration Center, according to recent analysis from the Institute for Critical Infrastructure Technology (ICIT).
Healthcare organizations are increasingly targeted, often because attackers view those systems as “low hanging fruit,” wrote ICIT Senior Fellow James Scott. He explained that over 113 million EHRs have been exfiltrated since 2015 and that the majority of hospitals – 90 percent – experienced suffered a breach in the last two years.
“The high-level focus of DHS on information sharing and increased cybersecurity and cyber-hygiene within the HPH sector is an admirable start to modernizing the security and resiliency of the sector; however, without a dedicated and objective partner at the ‘ground level,’ DHS’s NCCIC will accomplish little in the future,” Scott stated.
“HHS’ offer of the HCCIC has the greatest potential of ensuring the continued success of the NCCIC and the improved security of small, medium-sized, and large health organizations,” he continued.
Healthcare also facies varied cybersecurity threats that continue to evolve and become more intricate. This includes but is not limited to insider threats, poorly secured web portals, improper data handling, and under-regulated medical data mining.
“Medical data is more valuable to attackers than financial data, and it can easily be exfiltrated from vulnerable web portals,” Scott maintained. “Once an adversary has patient data, they can exploit the individual or file false claims across the sector.”
Furthermore, medical devices are not always secured, managed, or encrypted. Citing an incident at Children’s Health, Scott explained how an employee lost an unencrypted and non-password protected BlackBerry at an airport. The incident potentially compromised the health records of 3,800 patients, he wrote.
A few years later, an unencrypted laptop containing patient data was stolen from the hospital. Physical safeguards had been in place, but unauthorized personnel were granted access to the laptop storage area.
“For the hospital, it was likely cheaper to operate insecurely for years and eventually pay a fine than it was to secure systems sooner when it was notified of the risk in 2007,” Scott stated. “The economics of risk management allow organizations operating in this irresponsible manner to make short-term profits while shirking essential security requirements, transferring risk to consumers until an incident is discovered and their public reputation is challenged.”
However, the HCCIC can help secure the highly sought-after healthcare sector.
“HHS is already at the forefront of healthcare cybersecurity, and its role as intermediary with the NCCIC through the HCCIC is an optimal and efficient solution to decreasing the vulnerability and exploitability of a siloed sector that has been too long starved for objective sector-specific attention and assistance,” he explained.
Collaboration and information sharing will also be critical in preventing, detecting, and mitigating potential cybersecurity issues. The National Health Information Sharing and Analysis Center (NH-ISAC) partnered with HCCIC.
The partnership has faced unfounded criticism, according to Scott. Public-private partnerships are essential in ensuring that cybersecurity measures can be comprehensive and applicable to numerous sectors.
“The criticism is both shortsighted and inconsistent with federal directives. The NCIRP clearly states the role of the NHISAC as an essential partner for the SSA,” Scott wrote. “The relationship of the HCCIC to the NH-ISAC is a model implementation of that statute and should be emulated by SSAs and the emergency response community in general.”
The HCCIC augments the NCCIC, Scott continued. This is not a duplicate agency, but is instead “a sector-specific cybersecurity coordination hub between the HPH sector and the NCCIC.”
US-CERT will also be able to connect with healthcare organizations that perhaps did not have the necessary resources previously available.
“Many of the targeted organizations are small and medium-sized businesses that remain underserved because they lack the resources to initiate meaningful dialogue with the NCCIC and their insignificance forgoes continuous attention from DHS,” Scott said. “Unlike private sector organizations, HCCIC will have dedicated personnel maintaining direct communication with the NCCIC for near-real-time intelligence sharing and threat response.”
HHS also has three goals for the HCCIC, and these goals do not duplicate the ones of the NCCIC. The goals include the following:
- Strengthen engagement across HHS operating divisions by providing real-time communications among incident response teams and threat analysts
- Improve reporting mechanisms and increased awareness of hyper-evolving, healthcare-specific cyber threats through coordinated cyber information sharing
- Develop robust public-private partnerships among the federal, private sector, and academic arenas
The HCCIC will collaborate with ISAOs and ISACs, but they will not dominate those organizations, Scott explained.
“Arguments that the HCCIC violates some decade-old preconceived role of private sector partners are, from every angle, a self-interested and naïve attempt to maintain influence over the sector after failing to prevent, mitigate, or anticipate every significant cyber-threat of the last few years,” he stated.
Overall, the NCCIC could fail without the NCCIC. Large corporations that self-regulate and institute “minimalistic checkbox frameworks” will deter liability rather than ensure security, Scott stressed. EHRs are increasingly connected and dependent on one another. Entities of all sizes must understand how to work together to ensure that cybersecurity threats can be properly matched against.
“Once struggling SMBs are compromised with ransomware, IoT botnets, or other malware from cybercriminals, techno-jihadists, Hail Mary threats, digital mercenaries, or advanced persistent threat (APT) groups, large organizations will be laterally compromised and patients will be exploited,” Scott concluded.