During a House Energy and Commerce Oversight subcommittee hearing Thursday on the U.S. Department of Health and Human Services’ role in healthcare cybersecurity, HHS leaders shared lessons learned during the department's response to the recent WannaCry ransomware attack and acknowledged that work that still needs to be done to improve cybersecurity in the healthcare industry.
“The experience provided a rich set of lessons learned… and it highlighted the disturbing reality that the true state of cybersecurity risks in the sector is under reported by orders of magnitude and the vast majority of the public health sector is in dire need of cybersecurity assistance,” Leo Scanlon, the deputy chief information security officer at HHS, said during the hearing.
Scanlon also said that HHS has a long-term task of assisting the U.S. healthcare sector with shifting from a compliance-oriented security posture to a dynamic risk-management approach. “And this means different things at different levels of the sector, but one thing is clear, the regulatory mechanisms that served to call attention to the need to protect PHI (protected health information) are fundamentally challenged by the technical capabilities of threat actors who operate at scale and machine speed and now have brought the specter of life-threatening impact of a cyber attack in the operating rooms and ambulances of our providers and first responders, and HHS is prepared to play a leading role in addressing that challenge.”
Steve Curren, director of the Office of Emergency Management’s Division of Resilience, Office of the Assistant Secretary for Preparedness and Response (ASPR) within HHS, said in his opening statements, “Few infrastructure issues have challenged the healthcare sector more than the proliferation of cyber attacks. In our modern system of health care, nearly everything is connected through a system of systems, from dialysis machines to electronic health records. Cybersecurity is both a direct and a secondary threat. It can impact everyday patients and health care delivery by locking down access to power, important medical information, and life-saving equipment. It can also exacerbate an existing emergency when hospitals, EMS, and emergency first responders are already working a frantic pace to save lives and cannot afford to lose access to communications or risk further delays in their response.”
ASPR, a division within HHS, was created in the wake of Hurricane Katrina to lead national response to adverse health effects in public health emergencies and disasters. He added that in 2016 federal leaders began to see the rise of healthcare ransomware attacks. “These attacks shifted the threat landscape considerably, as they no longer threatened just personal information but the ability of healthcare organizations and communities to provide patient care,” he said.
The Subcommittee on Oversight and Investigations hearing on Thursday focused primarily on the findings from two reports that Congress required HHS to produce under the Cybersecurity Act of 2015—one report focused internally within HHS itself, the HHS Cyber Threat Preparedness Report, and another report focused externally within the healthcare sector, the Health Care Industry Cybersecurity Task Force report.
During the hearing, the topic of the WannaCry ransomware attack dominated much of the discussion, and members of the House subcommittee used the cyber attack, and HHS’ subsequent response, as a case study for the effectiveness and applicability of the findings from the reports. On March 12, a cyber attack using the WannaCry ransomware virus spread quickly across the globe, infecting hundreds of thousands of devices in a dozen countries in a matter of hours. Computer systems at 40 National Health System (NHS) hospitals in the United Kingdom were infected, which forced many of those hospitals to reduce services, cancel certain operations and turn away all but emergency patients.
Federal lawmakers also wanted to learn more about the operation of the Healthcare Cybersecurity Communications Integration Center (HCCIC), which was established to strengthen engagement across HHS operating divisions and enhance public-private partnerships through regular outreach with the healthcare industry.
Scanlon said the HCCIC is the central location for public health sector information sharing and HCCIC played an integral role in HHS’ coordinated response to the recent WannaCry incident. “In the recent WannaCry mobilization, HCCIC analysts provided early warning about the impact to health care. This was first time a cyber attack was the focus of a mobilization.”
Scanlon said beginning the day of the outbreak and peaking over the following several days, HHS took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public-and private-sector response efforts. The HHS Deputy Secretary’s designee for cybersecurity and an official from ASPR took primary lead, with other relevant department operating divisions providing support as necessary, he said.
Initial feedback from both the department and from the health care sector has generally concluded that the department’s response, and therefore its cyber threat preparedness strategy as envisioned in its report, was effective, Scanlon said.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.