cybersecurity Control room There have been several announcements about cybersecurity agencies and offices lately.  Some announcements are from the Department of Homeland Security (DHS) and some are from Health and Human Services (HHS).  What are they talking about and what does it mean to you?

HIPAA For MSPs by David Sims New cybersecurity agency and office?
00:00:00 00:00:00

Back in June Congress sent a stern notice to HHS about cybersecurity failures in the reports they sent them.  As we have to point out these days, this letter and most of the concerns about privacy and security in health care are bipartisan – for a change.  In this letter from the chairmen and ranking members of the House Energy and Commerce Committee and the Senate Health, Education, Labor, and Pensions Committee, Congress pointed out they had had enough waiting for some things promised by HHS last year.

It is a long story with a lot of political drama behind the scenes.  This back and forth has been going on for the last year at HHS.  There was even personnel being moved as retaliation for talking to the committees about cybersecurity.  The kind of madness that we usually don’t cover much on our podcast.  But, this mess it getting REAL now.  Below are some excerpts from the June letter.

“As cyber threats to the health care sector increase in frequency and severity, it is imperative that HHS provide clear and consistent leadership and direction to the sector regarding cyber threats.”

“…..the report omitted or lacked sufficient detail on many outstanding issues. For example, HHS is both a regulator of the health care sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. HHS must make clear how it plans to carry out this dual role and clearly communicate to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions.”

“Most notably, the CTPR lacked information regarding the Healthcare Cybersecurity and Communications Integration Center (HCCIC). The HCCIC was announced during a panel appearance in April 2017 by the then-HHS Chief Information Security Officer, who stated, “HHS is building a health care information collaboration and analysis center, just like the [Department of Homeland Security’s} NCCIC, only focused on health care.” Few additional details were provided, offering little clarity on how the HCCIC would fit into the larger healthcare cybersecurity picture and raising concerns that the HCCIC could duplicate work by entities such as the NCCIC or National Health-Information Sharing and Analysis Center (NH-ISAC). Now a year after the announcement, the clearest public information regarding the HCCIC comes from written testimony submitted by HHS to the Energy and Commerce Committee for a June 2017 hearings.” 

“HHS’s decision to present to our Committees a report that was outdated, incomplete, and inaccurate raises concerns about HHS’s ability to address the growing number and severity of cyber threats facing the health care sector.”

“Additionally, 405(d) of CISA required HHS to establish a “collaborative process” with other government officials and health care industry stakeholders to align and publish “Health Care Industry Security Approaches.” CISA was signed into law on December 18, 2015, but as of this writing, HHS still has not produced the “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” required by the law.”

This letter came out right after Erik Decker testified before Congress and talked about the confusion in the industry due to some of the things not being done at HHS as they had previously announced.  BTW, this is also where he mentioned several other things we have talked about in other episodes.  That testimony will be important in many ways in the coming months:  Decker proposed four actions that should be taken to improve cybersecurity in the healthcare sector:

  1. Encourage industry adoption of the NIST Cybersecurity Framework and the cybersecurity best practices for the healthcare sector developed by the CISA-directed task force
  2. Bolster the importance of sharing technical cybersecurity threat intelligence information through the NH-ISAC and ensure the information is protected from regulators
  3. Offer enforcement relief for organizations that demonstrate the adoption of the Cybersecurity Framework, the cybersecurity best practices, and participation in NH-ISAC
  4. Establish a national response program in partnership with NH-ISAC and possibly DHS that can facilitate the industry response to a national cybersecurity threat.

Just as a note.  The Decker suggested that the cybersecurity management is moved under the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) which seems to be taking place based on reauthorization bills.  We are looking forward to seeing just how much comes of all of these suggestions.

Cybersecurity agency, center, and office pop up

So, all this drama happens with HHS and, believe it or not, some things started happening.

There is the announcement from the Office of Inspector General (OIG) that monitors HHS.  They have created a new cybersecurity team.

“OIG has formed a multidisciplinary Cybersecurity Team comprised of auditors, evaluators, investigators, and attorneys focused on combatting cybersecurity threats within HHS and the healthcare industry.”

HHS also announces that it has added a Health Sector Cybersecurity Coordination Center (HC3) which is supposed to support the sector dealing with threats.  This is the statement in the announcement that summed it up:

“The Health Sector Cybersecurity Coordination Center (HC3) is an operational cybersecurity center designed to support and improve the cyber defense of the healthcare and public health sector. HC3 strengthens coordination and information sharing within the sector and cultivates cybersecurity resilience by providing timely and actionable cybersecurity intelligence to health organizations and developing strategic partnerships between these organizations.”

They showed a ribbon cutting ceremony in front of a sign with the name on it for their offices.  At this point, there aren’t any other details about what we can actually get to help us other than the announcement.

Basically, this announcement seems like it replaces the Healthcare Cybersecurity and Communications Integration Center (HCCIC) that Congress was angry about in their letter.  So HHS has OIG watching over things specifically relating to cybersecurity in a team and now they have HC3 to coordinate with other stakeholders relating to cybersecurity.

The drama surrounding this mess is probably not over yet.  However, they jumped in and created what they think will make Congress happy and, hopefully, will actually be helpful.

A new cybersecurity agency at DHS

Finally, we get legislation that makes changes at DHS by adding a new Agency to the department specifically for cybersecurity.  The new agency is called Cybersecurity and Infrastructure Security Agency (CISA).

CISA is responsible for protecting the Nation’s critical infrastructure from both physical and cyber threats.  The CISA Act establishes three divisions in the new DHS agency:

  1. Cybersecurity
  2. Infrastructure Security
  3. Emergency Communication.

The information on the DHS website for cybersecurity information is pretty helpful and will continue to be enhanced through this new agency.  HHS is supposed to coordinate with DHS just like the other departments.  Hopefully, we will start to see this settle in and offer even more helpful to us.  Here are some links to valuable resources at DHS.

We are due for some more guidance on healthcare cybersecurity coming out in December from the 405(b) stuff.  As things progress we will be sharing the details.