Over the past several years, the health care sector has become increasingly digitized and integrated with information technology. With these benefits has come the increased risk of cybersecurity threats, such as malware infections, large-scale thefts of medical data, and the discovery of critical vulnerabilities in medical devices. In recognition of these threats, Congress included language in the Cybersecurity Act of 2015 (CSA) that required HHS to produce two reports examining cybersecurity within the health care sector, one focused internally within HHS itself, and the other externally within the health care sector.
The House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations held a hearing on June 8, 2017, to examine the details from the two HHS reports and to use the recent global outbreak of the "WannaCry" ransomware, and HHS’ response, to determine the effectiveness and applicability of the findings from the reports. The subcommittee heard from three HHS officials who submitted a joint written statement to the subcommittee.
HHS Cyber Threat Preparedness Report. The first report, required under section 405(b) of CSA, instructed HHS to submit an internal report on HHS’ preparedness to respond to cybersecurity threats within the health care sector. Section 405(b) required two primary findings: (1) a statement identifying the official to be responsible for leading and coordinating HHS cybersecurity efforts, and (2) a plan from each relevant operating division detailing how that operating division intended to address cybersecurity threats within their jurisdiction. According to the subcommittee’s background memorandum for the hearing, the internal report included the following information:
- The Deputy Secretary of HHS, or their designee, is the official responsible for leading and coordinating HHS cybersecurity efforts
- The Office of the Assistant for Preparedness and Response (ASPR) has primary responsibility for cybersecurity efforts within HHS.
- Eleven components within HHS contribute to health care sector cybersecurity threat preparedness.
- HHS leverages an internal working group that includes relevant officials from across these different offices and operating divisions to coordinate cybersecurity efforts.
After submission of the internal report, the HHS officials briefed the subcommittee that cybersecurity roles, responsibilities, and efforts continue to evolve. Most importantly, HHS officials indicated that it is in the process of starting up the Health Cybersecurity and Communications Integration Center (HCCIC). The HCCIC serves as a nexus for information, collaboration, and analysis regarding cybersecurity threats in the health care sector. The HHS officials also informed the subcommittee that HCCIC is likely to have a significant impact on the processes and procedures HHS uses to address cybersecurity threats and engage with industry. As a result, the HHS official warned that some findings in the internal HHS Cyber Threat Preparedness report may soon be outdated.
Health Care Industry Cybersecurity Task Force Report. The Task Force report, required under section 405(c) of CSA, instructed HHS to convene a task force consisting of stakeholders from HHS, the Department of Homeland Security, the National Institute of Standards and Technology, and the health care sector, as well as cybersecurity experts (see Task Force diagnosis: Health care cybersecurity in critical condition, June 5, 2017) The task force report includes six high-level imperatives, broken down into 27 specific recommendations and action items. The six imperatives and a summary of their significance are as follows:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity. The task force (1) recommended the creation of a "cyber leader" role within HHS to coordinate activities and serve as a single focal point for industry engagement across regulatory and voluntary cybersecurity programs; (2) found that HHS needs to make the discussion, oversight, and engagement around cybersecurity clearly and consistently messaged; and (3) paid particular attention to the needs of small and medium sized organizations, which have unique needs and different capabilities as compared to larger organizations.
- Increase the security and resilience of medical devices and health IT. This imperative takes a total product lifecycle approach, recommending a mix of regulation, accreditation, information sharing, and voluntary development and adoption of standards to promote system security from product design and development through end of life.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. The task force outlines the major workforce challenges facing health care information technology and cybersecurity, especially among small, rural, and other lesser-resourced organizations. It recommends steps to enhance cybersecurity leadership in organizations, develop the nation’s health care cybersecurity workforce, and create options for organizations to gain efficiencies by leveraging shared cybersecurity services.
- Increase health care industry readiness through improved cybersecurity awareness and education. This imperative focuses on increasing the cybersecurity posture within organizations by raising awareness among corporate leadership, educating employees on the importance of cybersecurity, and empowering patients to make better choices related to the security of their personal health information.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure. This imperative focuses on the significant problem of health care intellectual property theft related to areas such as clinical trials, drug and device development, big data applications, and general health care business operations.
- Improve information sharing of industry threats, risks, and mitigations. For this imperative, the task force recommends general principles to follow in the establishment of cyber threat information sharing systems in health care, with a focus on ensuring that curated and actionable information reaches small and rural organizations.
"WannaCry" ransomware outbreak. On March 12, 2017, an outbreak of the type of file-encrypting malware known as "ransomware" spread quickly across the globe, infecting hundreds of thousands of devices in dozens of countries in a matter of hours. Once infected, devices became impossible to use until either a ransom had been paid to the ransomware authors through the virtual currency Bitcoin.
While nearly all industries and sectors were affected by the WannaCry outbreak, particular attention was focused on the health care sector due to the infection of 40 National Health System hospitals in the United Kingdom. According to the HHS officials, the ransomware was ultimately contained before it could infect more than a small number of devices in the United States. Nevertheless, they believe that the health care sector was extremely susceptible to ransomware outbreaks, and remains so today.
HHS officials indicated that it took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public- and private-sector response efforts. As outlined in the internal HHS Cyber Threat Preparedness Report, the HHS Deputy Secretary’s designee for cybersecurity and an official from ASPR took primary lead, with other relevant HHS operating divisions providing support as necessary.
In response to subcommittee questions, the HHS officials testified that they have learned two main lessons from the WannaCry incident: (1) cyber security must be operated as an emergency response, and (2) public and private partnerships are essential to emergency response – these trusted partnerships cannot just be stood up in emergency situations.
The officials also testified that three things are impeding the lessons learned in the WannaCry incident: (1) better protection of information is needed in the federal government sector, as private industry is hesitant to give information to the federal government due to lack of trust in government IT systems; (2) there is a misunderstanding by private industry of HHS cybersecurity policies (e.g., there was an erroneous belief by private industry that the FDA does not allow "patching" of medical devices); and (3) there is a misunderstanding in private industry as to what it can and cannot report to the government. To address these impediments, the HHS officials stated that HHS is working on plain language guidance to inform industry of its cybersecurity policies.
MainStory: TopStory NewsStory HouseNews EHRNews HITNews MDeviceNews CyberPrivacyFeed
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.