The healthcare sector is under attack. Recent WannaCry and Petya ransomware attacks combined with a year-over-year increase in the total number of cyber-attacks against the heath ecosystem underscore the increasing importance and necessity of cyber vigilance. The threat isn’t just to computer systems or networks; American lives are at risk from cyber-attacks which target hospitals, clinics and medical devices which aren’t adequately or appropriately protected from exploitation. It is critical for the Department of Health and Human Services (HHS) to take its rightful role as the cybersecurity leader for healthcare and the public health sector.
HHS experiences over 500 million attempted cyber-attacks each week, and HHS is only a part of the complex, expansive and vulnerable healthcare sector. Such complexity makes it difficult to secure healthcare entities that range from large hospitals, insurance companies and drug manufacturers to pharmacies and single-doctor practices, hospices, long-term care facilities or anywhere patients are treated. Regardless of size of the care provider, each of these is increasingly dependent on interoperable networks and applications but have varying information technology capabilities and cybersecurity savy. As a result, the sector needs strong cybersecurity leadership capable of interacting with all of its stakeholders—public and private. HHS—with its 360-degree view of the healthcare landscape, its challenges and the insight into the unique threats it experiences—is uniquely positioned to lead the cybersecurity initiatives needed to protect this diverse, heterogeneous ecosystem.
The current administration, Congress and the healthcare industry recognize the urgency to develop capabilities and leadership in response to increasing cyber threats. The Cybersecurity Act of 2015 required HHS to lead cybersecurity information sharing efforts and partner with the private sector to improve cyber preparedness and resilience for the healthcare sector. To that end, the HHS Secretary, in consultation with other groups and agencies, assembled a diverse group of industry representatives to discuss these issues; the 21 task force members—including 17 private sector representatives—issued a report in June of 2017 that identified a wide range of threats and actions to be taken by both HHS and the health care sector at large. The administration also emphasized the importance of cybersecurity efforts in the Presidential Executive Order ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure’ released in May. Taken together, both the executive order and the task force report underscore HHS’ role in working with the healthcare sector in managing cybersecurity risks across the healthcare ecosystem.
Building on the administration’s emphasis on cybersecurity, the sector’s need for increased, coordinated cybersecurity activities, and the ever-increasing threat, HHS established the Healthcare Cybersecurity Communications and Integration Center (HCCIC). While still evolving, the HCCIC is intended to be the healthcare ecosystem’s focal point for cyber threat information, providing data, tools and strategies to the sector to enhance and coordinate responses to cyber-attacks.
"It’s simple–sector-specific expertise combined with effective public-private partnerships will result in greater healthcare sector resilience"
Soon after its formation, the HCCIC underwent a real-world test and proved integral in the overall healthcare sector response to recent ransomware attacks that crippled healthcare entities across the globe. The attack—dubbed WannaCry— was one of the fastest-moving and most widespread cyber-attacks seen to date. While it appeared to be quickly contained, the impact of WannaCry to the healthcare ecosystem resulted in widespread impacts to hospital systems, emergency rooms and medical devices across the country. Ambulances were redirected from hospitals which were unable to process incoming patients and, in some cases, vital operating room equipment was rendered unusable. Most impacts went unreported but those that were reported provide a sobering picture of the vulnerabilities and risks that threaten the infrastructure supporting healthcare delivery in the United States. HHS and our partners— including HHS’ all-hazards emergency response team—immediately designed and implemented a strategy that informed health-focused IT professionals how to prevent, mitigate and respond to the ransomware outbreak. This marked the first time that a cybersecurity event was considered a threat to the entire healthcare sector; HHS’ collective leadership and response was widely hailed as a vital contribution to healthcare organizations of all sizes and types.
“Public-private partnership is an essential component to improve the resilience of healthcare organizations in the U.S.,” stated Jim Routh, Aetna’s Chief Security Officer. “The National Healthcare Information Sharing and Analysis Center (NH-ISAC) works collaboratively with HHS around the clock to understand the implications of cybersecurity incidents and share information essential to the protection of healthcare information.”
HHS is at the forefront of healthcare cybersecurity. Its role as a voice for the healthcare sector at a national level—through the HCCIC—is vital to increase awareness and preparedness while decreasing the sector’s cybersecurity vulnerability and exploitability. In 2018, HHS plans to expand the HCCIC, increasing cyber threat validation, partnering with other information sharing organizations to increase information sharing and support capabilities for the healthcare ecosystem.
“HITRUST is active with thousands of industry organizations and is committed to improve the industry’s cyber defenses and resilience by enhancing its cyber threat management, sharing and response capabilities in line with industry’s needs,” states Carl Anderson, HITRUST’s Chief Legal Officer and Senior Vice President for Government Affairs. “Partnering and coordinating with HHS improves the collection, analysis and sharing of relevant cyber threat information and ensures distribution to the broadest audience while minimizing duplication of efforts.”
Its simple—sector-specific expertise combined with effective public-private partnerships will result in greater healthcare sector resilience and combat the real life-or-death consequences of ever-increasing and evolving cyber-attacks.