The Department of Health and Human Services is looking for an existing health care organization experienced in sharing cyberthreat information to serve as the official information sharing and analysis organization between the department and the broader public health sector.
HHS’ Office of the National Coordinator for Health Information Technology and Office of the Assistant Secretary for Preparedness and Response are offering a combined $400,000 to a private sector entity to send and receive critical cyberthreat information, connecting the department, the greater health care sector, and other federal partners, such as the FBI and Department of Homeland Security. ONC issued a grant worth $250,000, and ASPR issued one worth $150,000 for the ISAO, both of which are renewable for up to five years.
“Recent high profile cybersecurity incidents have demonstrated the need for improved [cyberthreat information, or CTI] sharing among organizations in the [health care and public health sector] sector,” ONC’s funding announcement says. “These organizations require access to timely and accurate CTI in order to manage resources and establish protective measures to effectively counter this threat. A number of Executive Branch policies have placed a responsibility on HHS to take on a lead role in CTI sharing with health care organizations.”
HHS is charged by the Cybersecurity Information Sharing Act of 2015 as a sector-specific agency to share cyberthreat information with private sector organizations through an ISAO.
“Establishing robust threat information sharing infrastructure and capability within the Healthcare and Public Health Sector is crucial to the privacy and security of health information, which is foundational to the digital health system,” said Karen DeSalvo, the national coordinator for health IT, in a release. “This coordinated resource will focus on sharing the most up-to-date threat information across the health and public health sectors and will better equip health systems to identify potential threats and further protect electronic health information.”
The eventual awardee, according to a release from ONC, should “Provide cybersecurity information and education on cyber threats affecting the Healthcare and Public Health sector, expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire Healthcare and Public Health sector, equip stakeholders to take action in response to cyber threat information, and facilitate information sharing widely within the Healthcare and Public Health Sector, regardless of the size of the organization.”
Prior to developing these grants, HHS awarded a planning grant to Harris Health System to audit the health sector for any gaps in the sharing of cyberthreat information. Though Harris is still developing its final report, it offered preliminary findings revealing that health care leaders feel threat information sharing is “too slow in the sector” and that a centralized source for sharing is needed, as well as automated sharing and a “common technical language and platform” to facilitate it.
“Keeping health IT up and running is critical to health system preparedness. Not only do we need to worry about natural disasters, but also increasingly we must combat—and prevent—cyber threats. Many parts of the healthcare system don’t have access to the information they need to protect themselves from these threats,” said Dr. Nicole Lurie, assistant secretary for preparedness and response, in the release. “Using an ISAO to exchange cyber threat information with these healthcare organizations, bi-directionally between HHS and the Healthcare and Public Health sector, we hope to build the capacity to better prevent, detect and respond to cyber attacks.”
HHS is opening the grant to “Local, Public nonprofit institution/organizations, Private nonprofit institution/organizations, private and for profit organizations that are already providing outreach and technical assistance to participating organizations on cybersecurity threats,” according to the award announcement. Additionally, organizations may team up to apply for the award “because [cyberthreat information] sharing is a collaborative exercise that needs everyone’s participation, such collaboration is encouraged.”
The project is divided into three phases: The first, which will be two years long, involves preparing and building out the infrastructure of the ISAO. Phase two — during the third and fourth years — involves the initial stages of serving as an ISAO. Finally, in the fifth year, the third phase aims to make the ISAO fully operational and sustainable. Years two through five of the program are subject to funding availability.
HHS will accept applications until Aug. 19, requiring a notice of intent from organizations by Aug. 1. Awards should be made by Sept. 16, and the project will launch Sept. 26.