Servers and storage are a primary focus for one hospital’s support upgrades.
By the end of June, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) will get a cousin focused on healthcare cyberthreats.
The Department of Health and Human Services (HHS) plans to launch the Health Cybersecurity and Communications Integration Center (HCCIC) in the next few weeks, according to multiple reports. The HCCIC will likely involve increased investment in cybersecurity equipment and personnel for HHS and elevate the importance of cybersecurity within the department.
The NCCIC, which opened in 2009, serves as a centralized hub within DHS that monitors cyberthreats across agencies and critical infrastructure. It also shares information among public- and private-sector partners to build awareness of vulnerabilities, incidents and mitigation strategies. It works closely with critical infrastructure owners and operators to reduce cybersecurity risks, collaborates with state and local governments, coordinates national response to significant cyber incidents in accordance with the National Cyber Incident Response Plan (NCIRP), and analyzes data to develop and share actionable steps to mitigate risks.
The HCCIC will serve a similar function. “HHS is building a health care information collaboration and analysis center, just like the NCCIC, only focused on health care,” HHS CISO Chris Wlaschin said during an April 20 panel discussion at the ACT-IAC Mobile Health Forum in Washington, D.C., according to Federal News Radio.
The goal of the HCCIC will be to share health-specific cybersecurity threats with other agencies and the private sector and to provide healthcare providers with best practices to mitigate the risks.
Wlaschin said HHS has provided grants to the National Health Information Sharing and Analysis Center to encourage broad healthcare industry participation in the HCCIC. The goal is not just to reduce noise about cybersecurity threats (and Wlaschin acknowledged that there is a lot of noise) but to then analyze the data “and deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.”
The center’s unveiling comes as healthcare organizations are facing mounting cybersecurity threats. Nearly 90 percent of healthcare organizations represented in a May 2016 Ponemon Institute study had a data breach in the past two years, and 45 percent had more than five data breaches in the same time period. Further, half of these organizations said they still did not have the personnel or the budget to detect or manage data breaches.
Fully 59 percent of healthcare organizations surveyed said they did not think or were unsure that their organization’s security budget was sufficient to curtail or minimize data breaches. Similarly, 56 percent said they did not believe their incident response process had adequate funding and resources.
“Relatively speaking, we're the new kids on the block playing in the biggest and toughest neighborhood at the moment,” Leo Scanlon, HHS’s senior adviser for health care public health cybersecurity, said at the CyberSecureGov conference in Washington. D.C. in May, according to Nextgov.
The HCCIC will aim to share cybersecurity threat information with medical professionals in clear ways and attempt to explain how it might impact businesses, HCCIC Director of Operations Maggie Amato said at the comference, Nextgov reports.
“My mother is a hospice nurse so she's the customer that’s always in my head,” she said. “So trying to explain cybersecurity to my mom is a little bit difficult. My example is that if I tell my mother we have a vulnerability, she’ll give me a tissue and tell me it’s OK to cry.”
At some point in the future, the HCCIC will release how-to or step-by-step guides, and its exploring the idea of a 311-style phone line to help private-sector partners, Nextgov reports.
As it has ramped up efforts in “beta mode,” the HCCIC has been building relationships with HHS’ different component agencies, such as the Food and Drug Administration and the Centers for Medicare and Medicaid Services.
Further, the HCCIC staff has been learning best practices from the NCCIC and also collaborating with agencies like the Defense Health Agency and the Defense and Veterans Affairs departments.
“We really do want to get to a place where we are collaborating with each other and cooperating across the board; having dynamic threat sharing and not just automated indicators but how-to guides,” Amato said.
The Trump administration’s proposed fiscal 2018 budget for HHS would set aside $72 million for the agency’s cybersecurity program, $22 million above the 2017 continuing budget resolution’s levels.
The program works to ensure that HHS “is able to address the evolving cyber threats and protect the Department’s sensitive information,” the budget proposal states. “The cybersecurity program will continue its operations to detect, manage, and remediate cybersecurity risks.”
While the HCCIC isn’t specifically mentioned, the proposal says the additional funding will be directed, in part, “to expand HHS’s capability to share cybersecurity threat indicators and information across the Federal and private health care spaces to better protect the security of such data.”