The cyber threat landscape to the U.S. healthcare system has shifted from the vulnerability of personal patient information to potential attacks designed to interfere with hospital systems and the ability of medical devices to function, according to testimony by Department of Health & Human Services (HHS) officials Thursday before the House Energy Subcommittee on Oversight and Investigations.
The House subcommittee’s hearing followed the June 2 release of the HHS-sponsored Healthcare Industry Cybersecurity Task Force’s report on improvements to cyber security in the U.S. health sector. The report, required after the passing of the Cybersecurity Act of 2015, was compiled by the 21-member task force,which was established in March 2016 and includes 17 health information technology (IT) experts from the private sector.
“We got a glimpse just weeks ago at what a large scale cyber incident could do to the healthcare sector, including the impact upon patients, during the WannaCry ransomware event,” Subcommittee Chairman Rep. Tim Murphy (R-Penn.) said in his opening statement.
Much of the hearing focused on HHS’ role in preparing the health sector for potential cyber threats such as the global WannaCry ransomware attack, which affected systems such as Britain’s National Health Service by disallowing patients from receiving much-needed prescriptions and stopping surgeons from performing critical operations.
The task force’s report produced 27 recommendations for the healthcare industry to begin to implement in order to strengthen cybersecurity efforts.
The most critical of these suggestions include the need for better cyber security leadership to drive tangible organizational change, the goal to reduce the burden for small and rural health providers in meeting tough IT modernization goals, the importance of protecting critical health infrastructure and the requirement for HHS to develop concise messaging in this issue, according to task force co-chair and Chief Information Security Officer for the Centers for Medicare and Medicaid Services Emery Csulak.
“It is clear to members of the task force that we must consider the unique needs of small and rural organizations as well new entrants and innovators,” Csulak said, pointing to how the interconnected nature of health systems today requires acute attention be paid to organization with less resources for cyber measures.
The testimony at the hearing and the task force’s report both pointed to the changing nature of cyber threats against the health sector as a driving force to adapt and improve security measures across the board.
“In 2016, we started to see the rise of healthcare ransomware attacks. In these attacks, computer malware is used to lock up the files of healthcare organizations, while criminals demand payment in return for restored access,” said Steve Curren, Director of the Division of Resilience for HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR).
Curren’s ASPR reached out to 3,100 IT professionals in the health sector to identify the most critical cyber weaknesses, and plans on forming a public-private working group to deal with strengthening efforts.
The HHS representatives also discussed the formation of a planned Healthcare Cybersecurity Communications Integration Center (HCCIC), which is intended to increase internal response efforts by increasing engagement across HHS Operating Divisions and enhancing public-private partnership in the health sector. Increased funds to support the establishment of HCCIC is one area of improvement for HHS, according to the department’s Chief Information Security Officer Leo Scanlon.
Scanlon also described plans to establish a Senior Advisor for Cybersecurity role within HHS, which would chair a Cybersecurity Working Group.
“The Senior Advisor for Cybersecurity will align coordinate internal stakeholders to collaborate with the private sector, U.S. Department of Commerce’s National Institute of Stands and Technology (NIST) and the U.S. Department of Homeland Security to develop voluntary guidelines to support adoption of the NIST Cybersecurity Framework and to support the [Health and Public-Health] sector risk reduction and resilience,” Scanlon said.