In the wake of last month's WannaCry ransomware, HHS officials called on the department's senior adviser for cybersecurity and others to organize public-private collaborations to better share threat information both before and during attacks.
During a hearing of the House Energy and Commerce Committee, HHS officials praised its Healthcare Cybersecurity Communications and Integration Center (HCCIC) for how it disseminated information during the WannaCry attacks and held it up as an example for organizing cybersecurity discussion.
"We need to take this model of threat sharing, which has now become an industry standard, and apply it to the challenge we face," said Leo Scanlon, HHS' deputy chief information security officer. The HCCIC "is where you can get coordinated information," he said.
But the officials emphasized communication between HHS and industry members about cybersecurity threats and their aftermath must improve. Scanlon noted there isn't a single channel for HHS to broadcast information about threats and mitigations to government and industry stakeholders, and he's looking for advice from lawmakers on how to reach their constituents to share information.
Improving the communication infrastructure could help HHS clear up providers' and payers' misunderstanding about agency policies.
During the WannaCry attack, industry members didn't know whether information they shared with the government would be protected, and some erroneously thought that the Food and Drug Administraion prohibited them from patching medical devices to prevent hacks.
Steve Curren, director of HHS' division of resilience, said HHS is working to clear up those misconceptions.
Medical devices, providers and other healthcare industry members are uniquely vulnerable to cyber attacks because of how information is distributed and how systems are linked. The nature of healthcare information—which is not only personal and private, but also which can be a matter of life and death—also puts the industry at a heightened risk.
"Within our modern system of healthcare, nearly everything is connected through a system of systems," Curren said. As such, "HHS' cybersecurity mission is a combined national response requiring broad collaboration across the department, the government and private sectors."
