Congressional Leaders Call Out HHS Leaders on Healthcare Cybersecurity Center | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Congressional Leaders Call Out HHS Leaders on Healthcare Cybersecurity Center

June 7, 2018
by Heather Landi
| Reprints
Click To View Gallery

A bipartisan group of U.S. Senators and U.S. Representatives wrote a joint letter June 5 to U.S. Department of Health and Human Services (HHS) Secretary Alex Azar voicing concerns and confusion about the status of the one-year-old Healthcare Cybersecurity and Communications Integration Center (HCCIC), and HHS’ overall cybersecurity capabilities.

The disorganization and drama around the fledging HCCIC goes back more than a year. The HCCIC was announced back in April 2017 by the then-HHS deputy Chief Information Security Officer, Leo Scanlon, and the center went live in June 2017. HCCIC was established to protect the nation’s healthcare system from cyber attack and was designed to focus its efforts on analyzing and disseminating cyberthreats across the healthcare industry in real time, according to HCCIC officials at the time.

However, since that time, there has been ongoing controversy over the reassignment of top cyber leaders at HHS and the work of the HCCIC. According to multiple media reports back in November, the fledging HCCIC became the center of a rumored investigation into contracting irregularities and possible fraud allegations. An anonymous complaint was lodged, alleging contracting improprieties. Scanlon was put on administrative leave back in September, and the center’s director, Maggie Amato, has since resigned. Chris Wlaschin then stepped in to the HHS CISO role, but stepped down March 31 and was replaced with Janet Vogel, previously the deputy chief information officer at the Centers for Medicare & Medicaid Services (CMS).

As previously reported by Healthcare Informatics, the controversy regarding top tech and cyber positions at HHS is a tangled web of personal and policy disputes, and, according to Scanlon in a published statement provided by his attorney back in March, the net effect of the reassignments has been that “the HCCIC initiative, which played such an important and promising role during the WannaCry incident, has been derailed.” Further, Scanlon states that “the Critical Infrastructure Protection Program of HHS once again lacks a cybersecurity component, and the NH-ISAC [National Health Information Sharing and Analysis Center] has no functioning partners in the agency.”

It seems Congressional leaders are also concerned about the current role and status of HCCIC. In the five-page letter, members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions noted that when the HCCIC was announced a year ago, there were few details provided, “offering little clarity on how HCCIC would fit into the larger healthcare cybersecurity picture and raising concerns that HCCIC could duplicate work by entities such as the National Health-Information Sharing and Analysis Center (NH-ISAC).”

And, the lawmakers cited the leadership changes, specifically the reassignment of senior officials responsible for the day-to-day operation of the HCCIC, as one of their top concerns. “HHS’s removal of senior HCCIC personnel has had undeniable impacts on HCCIC and HHS’s cybersecurity capabilities.”

In the same week that the letter was sent to Azar, the House Energy and Commerce health subcommittee held a hearing on the reauthorization of the Pandemic and All-Hazards Preparedness Act, legislation that seeks to enhance the nation’s ability to prepare for and respond to health threats from infectious diseases, bioterrorism, chemical attacks, radiological emergencies and cybersecurity incidents. The bill proposes moving the HCCIC from the HHS’s Office of the Chief Information Officer to the Assistant Secretary for Preparedness and Response (ASPR), also within HHS.

During that hearing, Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine, testified that there’s confusion about the status of HCCIC as well as the cybersecurity roles of various agencies at HHS, and the confusion is hindering many healthcare organizations from participating in cyber intelligence sharing,

The letter, signed by Sens. Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., along with Reps. Frank Pallone, D-N.J., and Greg Walden, R- Ore., also noted, “Stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has. Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”

And, and lawmakers wrote, “HHS’s private and public representation of the HCCIC as central to its cybersecurity efforts has confounded efforts to understand how HHS meets its obligations related to cybersecurity given the HCCIC’s instability.”

The lawmakers are also concerned that HHS has failed to provide a Cyber Threat Preparedness Report as required by the Cybersecurity Information Sharing Act of 2015. The HCCIC developments and the lack of a CTPR “raises concerns about HHS’s ability to address the growing number and severity of cyber threats facing the health care sector,” the lawmakers wrote.

Congressional leaders are demanding an updated CTPR with a detailed explanation of the HCCIC, its roles and responsibilities, how its work and operations intersect with the NCCIC and NH-ISAC and how it fits into HHS’s broader cybersecurity capabilities and responsibilities.

In a broader sense, the lawmakers also raised concerns about HHS operating as both a regulator of the healthcare sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. “HHS must make it clear how it plans to carry this dual role and clearly communicate to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions,” the lawmakers wrote.

Congressional leaders are asking for HHS leaders to clarify how it plans to differentiate those dual roles, regulator and SSA for healthcare, and how it plans to transition between the two roles.


2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery


Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.

More From Healthcare Informatics


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

Related Insights For: Cybersecurity


Report: More than 3M Patient Records Breached in Second Quarter of 2018

August 8, 2018
by Heather Landi
| Reprints
Click To View Gallery

More than 3.14 million patient records were breached in 142 disclosed health data breach incidents during a three-month span from April to June 2018, according to new data released in the Protenus Breach Barometer.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the latest data showed that in the second quarter of 2018 the number of affected patient records almost tripled from those reported in the first quarter of this year (1.13 million patient records).

Protenus and compiled the report using health data breaches reported to the U.S. Department of Health and Human Services (HHS) or to the media. The data found that there were several large data breach incidents during the second quarter, including a theft incident in April involving a Sacramento-based office of the Department of Developmental Services, affecting 582,000 patient records, and a hacking incident at a healthcare provider in May that impacted 566,000 patient records.

For incidents disclosed to the HHS or the media, insiders were responsible for 30.9 percent of the total number of breaches in Q2 2018 (44 incidents). Details were disclosed for 27 of those incidents, affecting 421,180 patient records (13.4 percent of total breached patient records).

The report notes an interesting trend with regard to insider breach incidents. In Q2 2018, 29.7 percent of privacy violations were repeat offenders. “This evidence indicates health systems accumulate risk that compounds over time if proper reporting and education do not occur. On average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report states.

The report authors note, “In other words, even minor privacy violations that are not promptly detected and mitigated, have the potential to compound risk over time.”

The Breach Barometer report data also shows that each hospital investigator is responsible for monitoring the electronic access of an average of 4,000 active EHR users in Q2 2018, underscoring that manual audit processes, like ad-hoc or random audits, are insufficient to monitor such a large population, each of whom accesses multiple medical records per day.

Nine out of 1,000 employees breach patient privacy, and family member snooping is the most common insider-threat violation (71.4 percent of violations), the Protenus data found.

Protenus data estimated that on average, 9.21 healthcare employees breach patient privacy per every 1,000 employees. This increase, from what was reported in Q1 2018, is due to healthcare privacy teams better leveraging advanced analytics, and proactively detecting more incidents, according to the report.

There were 25 publicly disclosed incidents that involved insider-error between April and June 2018. Details were disclosed for 14 of these incidents, affecting 343,036 patient records. In contrast, 18 incidents involved insider-wrongdoing, with data disclosed for 13 of these incidents. There was a substantial increase of breached patient records as a result of insider-wrongdoing.  In Q1 2018, there were only 4,597 affected patient records, while in Q2 2018, there were 70,562 affected patient records.

Looking at external threats, hacking continues to threaten healthcare organizations in 2018, with an increase in incidents in the second quarter. Between January and March, there were 30 hacking incidents, however, between April and June 2018 there have been a total of 52 incidents (36.6 percent of all Q2 2018 publicly disclosed incidents). Details were disclosed for 44 of those incidents, which affected 2 million patient records.

Of the 143 disclosed health data breaches that occurred between April and June 2018, 99 of them (76 percent of total incidents) were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.

Even though most healthcare organizations have already switched over to digitized patient records, 23 breach incidents still involved paper records.

The Protenus data also reported that, of the 142 health data breaches for which data was disclosed, it took an average of 204 days from when the breach occurred to when it was discovered. The median discovery time was 18 days. There was a wide variety in the data, with the shortest discovery time of one day and the longest of 1,587 days (4.35 years).

In conclusion, the Protenus report notes that the average cost per breached record has increased 6.4 percent ($408 per record) over last year. “Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report states.


See more on Cybersecurity ...