The WannaCry ransomware attack wreaked havoc across the globe in May, and particularly affected the United Kingdom’s National Health Service. In the United States, the Department of Health and Human Services’ Health Cybersecurity and Communications Integration Center (HCCIC) led a coordinated response, portending stronger coordination with private-sector healthcare.
The HCCIC, designed as a healthcare-focused cousin of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), is supposed to serve as a central hub for monitoring cyberthreats to the healthcare sector and to share information with the private sector. The HCCIC involves increased investment in cybersecurity equipment and personnel for HHS and elevates the importance of cybersecurity within the department.
However, some senators and healthcare industry experts began to question whether the HCCIC is redundant shortly after it launched.
HCCIC Directs WannaCry Response
Steve Curren, director of resilience in the HHS Office of Emergency Management, told a House Energy and Commerce subcommittee in June that the HCCIC “coordinated the response to WannaCry,” reports CyberScoop.
The response, Curren said, included conference calls with up to 3,100 participants each and daily messages with answers to frequently asked questions; the HCCIC also provided lists of resources from other federal departments and agencies.
HHS Deputy CISO Leo Scanlon told the committee that the HCCIC was established this spring to “support public-private partnership through regular engagement with and outreach to the [healthcare] sector …[and to] leverage HHS capabilities and outreach.”
During the WannaCry attack, HCCIC analysts “provided early warning of the potential impact of the attack and HHS responded by putting the secretary’s operations center on alert,” Scanlon said at the hearing of the House Subcommittee on Oversight and Investigations, Federal News Radio reports.
“This was the first time that a cyberattack was the focus of such a mobilization and HCCIC was able to support [the HHS Office of the Assistant Secretary for Preparedness and Response] interactions with the sector by providing real time cyber situation awareness, best practices guidance and coordination with the US-CERT and [incident response teams],” at NCCIC, Scanlon said.
Rep. Tim Murphy, R-Pa., the subcommittee’s chairman, noted that HCCIC “could dramatically change how HHS handles cyberthreats internally,” CyberScoop reports. “It is our understanding that the HCCIC will serve as a focal point for cyberthreat information collection and dissemination from HHS’s internal networks, as well as external sources.”
“Clearly, the sector needs leadership,” said House Energy and Commerce Committee Chairman Greg Walden, R-Ore. “HHS is uniquely situated to fill this void. Historically, the department has struggled to effectively embrace this responsibility, but that trend cannot continue,” he went on, adding, “The department’s actions in response to the WannaCry ransomware — coordinated through the newly established HCCIC — have generally received praise from the sector.”
The HCCIC’s aim is to help small healthcare providers in particular, because they often do not have staff dedicated to IT security and may not be able to afford more secure and modern technologies, CyberScoop notes.
Scanlon said the “most important outputs” from the HCCIC would be warnings, bulletins and other products that are intelligible to those who are not cybersecurity experts. They are designed for healthcare providers that do not have the technology or bandwidth to take advantage of automated information-sharing initiatives run by DHS and other established information-sharing entities.
Is HCCIC Necessary with NCCIC?
Despite HCCIC’s response to the WannaCry attack, some lawmakers and healthcare industry experts are questioning whether the HCCIC is duplicating efforts of Homeland Security’s NCCIC.
Daniel Nutkis, CEO of HITRUST Alliance, a nonprofit information-sharing and analysis organization (ISAO), told CyberScoop that the healthcare industry “feels that they answered the rallying cry” from the government to share cybersecurity threat information and are now “getting the rug pulled out from under them” with the HCCIC.
The government called for organizations like the HITRUST Alliance to be formed in President Obama’s February 2015 cybersecurity executive order, CyberScoop reports, and in December 2015 Congress backed that effort by passing the Cybersecurity Act of 2015. The legislation offers private entities liability protection if they share cyberthreat information with approved government agencies. It also made DHS the hub for sharing federal cyberthreat information and required the department to establish a real-time automated system for sharing such data, which it did last year.
Nutkis says HITRUST and other private-sector organizations are on board. “We feel like the market responded,” he says. However, the healthcare industry only learned about the HCCIC indirectly, from media reports.
“They talk about partnership,” Nutkis says of HHS officials. “If there was partnership, they would come and ask us, ‘Where are the gaps? Where are the missing capabilities that we can help provide?’”
Lawmakers are expressing wariness about the HCCIC, reports FCW. “I’m concerned about the HHS effort,” said Sen. Claire McCaskill, D-Mo., ranking member of the Senate Homeland Security and Governmental Affairs Committee, at a June 21 hearing that examined the federal cybersecurity regulations and compliance requirements facing the private sector.
At the hearing, McCaskill questioned whether the HCCIC would facilitate cybersecurity threat sharing, as the NCCIC does, and whether companies would have liability protections if they share threat information with the HCCIC.
McCaskill and Sen. Ron Johnson, R-Wis., the committee’s chairman, sent a letter to the White House “asking that a federal CIO be appointed to help deconflict the confusing cybersecurity regulation compliance picture,” FCW reports.
The letter asks HHS Secretary Tom Price to document the need for the HCCIC, how it will interact with the NCCIC, how information sharing will work, and whether HHS will leverage DHS tools like the U.S. Computer Emergency Readiness Team, which is responsible for responding to major cyberincidents, analyzing threats and exchanging critical cybersecurity information with trusted partners around the world.
Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and a founder of the white-hat hacker collective I Am The Cavalry, told CyberScoop that Nutkis’s criticisms of HCCIC were “obviously self-interested,” and that information-sharing and analysis organizations (ISAOs) might not be up to the task of helping the private sector respond to cyberthreats.
“The bigger question is: Can a single [private sector] center do this better and instead of the federal government?” He added that the ISAO ecosystem was “nebulous and nascent … No two ISAOs are the same, there are very different levels of maturity.”