Congress Stepping in After Reorganizations, Leadership Vacuum Leave HHS Cybersecurity Center's Fate Unclear
The Health and Human Services Department doesn’t want to talk about its Health Cybersecurity and Communications Integration Center. And that’s no surprise, since it doesn’t seem to know what to do with it, and no one who was responsible for standing it up is involved with it anymore. Lawmakers from the House Committee on Energy and Commerce and the Senate committee on Health, Education, Labor and Pensions sent a letter on June 5 to HHS Secretary Alex Azar pointing out some significant omissions in the department’s Cybersecurity Threat Preparedness Report, which the department is required to submit to Congress. The report is supposed to detail HHS’ responsibilities and preparedness to deal with cyber threats in health care.
David Thornton Yet, according to the letter, the report made no mention whatsoever of the HCCIC. Which is strange, because the HCCIC was supposed to be the linchpin in HHS’ plans to coordinate information sharing about major cyber threats to the health care sector. The concept is based on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC), but with a more specific focus. But documents obtained by Federal News Radio show an internal disagreement within the HHS Office of Information Security in 2017 as to how the HCCIC fits into its structure.
In July 2017, then-Chief Information Security Officer Chris Wlaschin decided to reorganize the HCCIC under the purview of the OIS Security Operations Division, alongside the internally-facing Computer Security Incident Response Center (CSIRC) and the Network Operations/Security Operations Center (NOC/SOC). But then-Deputy CISO Leo Scanlon argued that the HCCIC was never designed for operational purposes. Instead, it was supposed to serve an analytics function and provide sectorwide supporting. This was best illustrated during the WannaCry incident in May 2017, which prompted HHS to activate the HCCIC one month early...
- Tags:
- Alex Azar
- Assistant Secretary for Preparedness Response (ASPR)
- Billy Long
- Chris Wlaschin
- Computer Security Incident Response Center (CSIRC)
- continuity of care
- cyber attack
- cyber threats in health care
- cybersecurity
- cybersecurity incident
- Cybersecurity Threat Preparedness Report
- education
- Erik Decker
- Federal News Radio
- Health Cybersecurity and Communications Integration Center (HCCIC)
- healthcare sector
- HHS Office of Information Security
- HHS Office of Inspector General
- House Committee on Energy and Commerce
- Labor and Pensions (HELP)
- Leo Scanlon
- Maggie Amato
- National Cybersecurity and Communications Integration Center (NCCIC)
- Network Operations/Security Operations Center (NOC/SOC)
- OIS Security Operations Division
- Pandemic and All-Hazards Preparedness Reauthorization Act (PAHPA)
- Public Health and Social Services Emergency Fund
- Robert Kadlec
- Senate Committee on Health
- US Department of Health and Human Services HHS)
- US Department of Homeland Security (DHS)
- WannaCry incident
- Login to post comments