HHS center for cyber threat sharing comes under fire
The Health Cybersecurity and Communications Integration Center was an integral part of the Department of Health and Human Services’ coordinated response last year to the global WannaCry ransomware attack, providing U.S. healthcare organizations with analysis of the threat and its impact.
However, there is currently “significant confusion regarding the role and status of HCCIC” among industry stakeholders, according to the chairmen and ranking members of the Senate Committee on Health, Education, Labor and Pensions and the House Energy and Commerce Committee.
Four key congressmen sent a letter on Tuesday to HHS Secretary Alex Azar expressing their concerns about HCCIC. They include Sen. Lamar Alexander (R-Tenn.), chairman of the Senate Committee on Health, Education, Labor and Pensions; Sen. Patty Murray (D-Wash.), ranking member of the Senate Committee on Health, Education, Labor and Pensions; Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee; and Rep. Frank Pallone, Jr. (D-N.J.), ranking member of the House Energy and Commerce Committee.
“Stakeholders have informed our staffs they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has,” states the letter. “Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”
In addition, the lawmakers noted in their letter to Azar that in September 2017 HHS “temporarily reassigned two senior officials responsible for the day-to-day operation of the HCCIC to unrelated duties,” which has had “undeniable impacts on HCCIC and HHS’s cybersecurity capabilities.”
Erik Decker, advisory board chairman for the Association for Executives in Healthcare Information Security (AEHIS), representing more than 850 chief information security officers, testified on Wednesday before a House health subcommittee about the shortcomings of the HCCIC.
Decker told lawmakers that the center should be “commended” for rapidly disseminating information about the worldwide threats during last year’s WannaCry attacks and hosting calls with healthcare organizations, “often lasting several hours open to the industry for the purpose of information sharing.” However, the HCCIC has since been the source of confusion for providers, he adds.
“Specifically, confusion exists regarding the purpose of the HCCIC, the Department of Homeland Security run National Cybersecurity and Communications Integration Center and the existing industry Information Sharing and Advisory Centers and Information Sharing and Advisory Organizations,” according to Decker, who is also chief security and privacy officer at the University of Chicago Medicine.
In addition, he said AEHIS members are confused about who leads HHS’ cybersecurity programs and the correct way to communicate with the agency about cybersecurity-related issues. Decker also testified that AEHIS members are hesitant to share information with HHS because it has a regulatory role.
“People see HHS as a regulator—they don’t understand the intricacies inside of HHS,” he concluded.