Sharing cyberthreat information between public and private sector partners has long been the Department of Homeland Security’s strategy for strong cybersecurity.
It’s also becoming the prescription for the Department of Health and Human Services.
HHS CISO Christopher Wlaschin detailed the agency’s ongoing initiatives Wednesday to partner with health care providers, hospitals and other industry stakeholders to share information on potential cyberthreats to health care sector at the Medical Device Innovation, Safety & Security Consortium’s Fall Congress.
Wlaschin said his team is currently working on improving cybersecurity preparedness throughout the health care sector, collaborating with industry as required by the 2015 Cybersecurity Information Sharing Act. That law called on the agency, which is tasked with protecting the health care and public health critical infrastructure sector, to stand up a Health Care Industry Cybersecurity Task Force as well as disseminate information across industry to improve the sector’s cyber posture under Section 405 D.
“It’s readily apparent that [the National Institute of Standards and Technology] and other standards development organizations have very mature models about what standards to apply to cybersecurity in the health care sector,” he said. “This 405 D brings together a majority of representatives — again only a few government people, the majority from industry — to talk about industry-led, voluntary best practices that you can deliver to small, medium and rural providers to help them become more cyber-aware, more cyber-prepared, more cyber-resilient.”
While HCIC was created in March 2016 and recently presented a report on improving cybersecurity in the health care industry this summer, Wlaschin said the agency is continuing to develop collaborative information sharing models with industry, based on its health crisis response operations.
One example he cited was in May’s WannaCry ransomware attacks, which impacted systems across Europe. HCIC was in beta when the attack occurred, but Wlaschin said that threat intelligence feeds tipped agency officials that an attack was coming, allowing them time to stand up a rapid response to protect health care systems.
“As our knowledge of this incident developed and our understanding of it grew, the cyber folks reported to [the Office of the Assistant Secretary for Preparedness and Response] that we see something that’s coming this way,” he said.
As the attack developed, HHS’s Division of Resilience contacted industry stakeholders to let them know about the software patches that would protect their systems.
“Our awareness and our ability to communicate rapidly what the threat was and what to do about it, I think, saved the majority of the public health sector from a major incident,” Wlaschin said.
But challenges remain. In February while trying to discuss the HCIC at the Healthcare Information and Management Systems Society conference, he found reluctance among some providers to share information because of a fear of regulatory penalties.
“We’ve got to work through that perception, that sharing cyberthreat indicators does not expose a covered entity to regulatory actions by [the Office of Civil Rights],” he said. “There are laws that DHS fought for and won that allow medical entities, and anybody from a critical infrastructure sector, to share information with the government when it comes to cyberthreats. HHS is leveraging that language so you can share with us too.”