You have to learn to walk before you can run, but in the case of the Health and Human Services Department’s Health Cybersecurity and Communications Integration Center (HCCIC), it learned how to sprint right out of the gate.
HHS officials recently testified before Congress that the center did exactly what it was intended to do during last month’s WannaCry ransomware attack, and further proved the point that paralyzing cyber attacks on health IT are only a click away.
“In the recent WannaCry immobilization, HCCIC analysts provided early warning of the potential impact of the attack and HHS responded by putting the secertary’s operations center on alert,” said Leo Scanlon, deputy chief information security officer at HHS, during a June 8 House energy and commerce subcommittee hearing.
“This was the first time that a cyber attack was the focus of such a mobilization and HCCIC was able to support [the Office of the Assistant Secretary for Preparedness and Response] interactions with the sector by providing real time cyber situation awareness, best practices guidance and coordination with the US-CERTand [incident response teams] at [Homeland Security Department’s National Cybersecurity and Communications Integration Center],” Scanlon said. “Sector calls generated by ASPR reached thousands of health care organizations and providers; one call had more than 3,000 lines open and continued for more than two hours for questions and discussion.”
Federal News Radio first reported on the HCCIC in April. It’s mission is to educate health organizations and consumers about the risks of using mobile applications and data.
Chris Wlaschin, chief information security officer for HHS, said the center would achieve initial operating capability near the end of June, but with the ransomeware attack, the center’s test run turned into a real life trial, with valuable lessons learned.
Steve Curren, HHS’ director of the division of resilience in the Office of Emergency Management (under ASPR) said the attack response highlighted the importance of public and private sector partnerships.
“We say in emergency management, disaster is not the time to exchange business cards, and it’s no different for a cyber incident,” Curren said. “We were able to exchange information from partners who trusted us and we trusted them with the information. We don’t want to have to wait to have the final polished version of every piece of information we want to share before we share it. It’s uncomfortable, but instances like this, when time is of the essence, when systems need to be patched, we need to get information out there immediately. Having those trusted partnerships, being open; having a call on the first day with our partners really helped us to establish those relationships and get information out there.”
Particularly for smaller businesses that might not have the people or money to throw at a large-scale cyber attack, the HCCIC is a valuable resource.
“It’s small and medium-size businesses that struggle to make payroll, they’re having to make trade-offs each and every day, whether it’s R&D, manufacturing, and here’s this cybersecurity,” said Rep. Chris Collins (R-N.Y.). “I think the reality is too often it’s the last thing they’re going to think about.”
Scanlon said the HCCIC produced one-page information sheets for small organizations in real time during the WannaCry attack, answering questions on patching, detection and flags to look for in their systems.
Curren said small, medium and rural health care organizations have “a critical need for health care cybersecurity information and resources.”
“The cybersecurity taskforce of course pointed that out, and I think also provided some good potential solutions — or at least options — to look at,” Curren said.
The task force released its report, the product of a year of work, on June 2. It includes a number of recommendations, such as improving security and resilience of medical devices, and standing up a Medical Computer Emergency Readiness Team. It also includes six “high-level imperatives,” like:
increase health care industry readiness through improved cybersecurity awareness and education.
identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
The task force also recommended that HCCIC, HHS, the Homeland Security Department’s National Cybersecurity and Communications Integration Center, and law enforcement, work together to provide subject matter expertise and an open flow of communication between the government and industry during both “steady state and response efforts.”
“There are more than 100 imperatives, recommendations and action items in the task force report, about half relate to the government and about half relate to the private sector,” Curren said. “There’s a lot of work for everyone to do. HHS right now is taking a look at the report and all the recommendations that are there, looking at which recommendations might relate to our current authorities and resources, where we have programs available, where we can do good work, which ones may be of interest to our partners, where we can work with them to help with implementation, and also look at the time frame.”
Those efforts are necessary given the uniqueness of the health sector and the devices that support not only health systems, but the wellness of patients, Scanlon said.
Asked by Rep. Scott Peters (D-Calif.) where the most vulnerable parts of the medical industry are when it comes to cyber attacks, Scanlon said the health care sector is “particularly sensitive to the phenomenon of the Internet of Things.”
Many medical devices weren’t designed or developed with the IoT in mind, but now they are talking with other devices that are being attacked, Scanlon said.
“So this represents a major investment problem,” Scanlon said. “It produces another problem on the normal operating standpoint. We can patch our systems without a great deal of difficulty, roll out automated patches across tens of thousands of machines on a basis. You can’t quite do that in a hospital when you don’t know what the impact of that patch is going to be in an operating room or on a medical device that is unique in the way it is designed and structured.”
“The way you’ve answered that question is more systemic than I asked it, so I’m going to take that as implied that we have to continue to figure out what’s going to be happening,” Peters said. “There’s many, many points of entry now given these different devices and open source practices, and it seems to be that that’s going to be part of HHS’ role is corralling this information and spreading best practices.”
Cyber IT funding
Fulfilling its role, however, requires some funding, an issue Rep. Paul Tonko (D-N.Y). brought up when he asked about funding for health cybersecurity in the fiscal 2018 budget.
“I’m asking this question because we want to make certain our house is in order and HHS as sufficient resources for its own IT security internally,” Tonko said, quoting numbers from the Office of Management and Budget showing that of HHS’ $13 billion IT spend in fiscal 2016, only about $373 million — or 3 percent — was marked for IT security.
Scanlon said he did not know the dollar amount of HHS IT security designated for 2018, but would get back to Tonko with those numbers, along with providing more details on 2018 funding for the HCCIC.
According to the president’s fiscal 2018 budget, $72 million is earmarked for the department’s cybersecurity program.