During a House Energy and Commerce Oversight subcommittee hearing Thursday on the U.S. Department of Health and Human Services’ role in healthcare cybersecurity, HHS leaders shared lessons learned during the department's response to the recent WannaCry ransomware attack and acknowledged that work that still needs to be done to improve cybersecurity in the healthcare industry.
“The experience provided a rich set of lessons learned… and it highlighted the disturbing reality that the true state of cybersecurity risks in the sector is under reported by orders of magnitude and the vast majority of the public health sector is in dire need of cybersecurity assistance,” Leo Scanlon, the deputy chief information security officer at HHS, said during the hearing.
Scanlon also said that HHS has a long-term task of assisting the U.S. healthcare sector with shifting from a compliance-oriented security posture to a dynamic risk-management approach. “And this means different things at different levels of the sector, but one thing is clear, the regulatory mechanisms that served to call attention to the need to protect PHI (protected health information) are fundamentally challenged by the technical capabilities of threat actors who operate at scale and machine speed and now have brought the specter of life-threatening impact of a cyber attack in the operating rooms and ambulances of our providers and first responders, and HHS is prepared to play a leading role in addressing that challenge.”
Steve Curren, director of the Office of Emergency Management’s Division of Resilience, Office of the Assistant Secretary for Preparedness and Response (ASPR) within HHS, said in his opening statements, “Few infrastructure issues have challenged the healthcare sector more than the proliferation of cyber attacks. In our modern system of health care, nearly everything is connected through a system of systems, from dialysis machines to electronic health records. Cybersecurity is both a direct and a secondary threat. It can impact everyday patients and health care delivery by locking down access to power, important medical information, and life-saving equipment. It can also exacerbate an existing emergency when hospitals, EMS, and emergency first responders are already working a frantic pace to save lives and cannot afford to lose access to communications or risk further delays in their response.”
ASPR, a division within HHS, was created in the wake of Hurricane Katrina to lead national response to adverse health effects in public health emergencies and disasters. He added that in 2016 federal leaders began to see the rise of healthcare ransomware attacks. “These attacks shifted the threat landscape considerably, as they no longer threatened just personal information but the ability of healthcare organizations and communities to provide patient care,” he said.
The Subcommittee on Oversight and Investigations hearing on Thursday focused primarily on the findings from two reports that Congress required HHS to produce under the Cybersecurity Act of 2015—one report focused internally within HHS itself, the HHS Cyber Threat Preparedness Report, and another report focused externally within the healthcare sector, the Health Care Industry Cybersecurity Task Force report.
During the hearing, the topic of the WannaCry ransomware attack dominated much of the discussion, and members of the House subcommittee used the cyber attack, and HHS’ subsequent response, as a case study for the effectiveness and applicability of the findings from the reports. On March 12, a cyber attack using the WannaCry ransomware virus spread quickly across the globe, infecting hundreds of thousands of devices in a dozen countries in a matter of hours. Computer systems at 40 National Health System (NHS) hospitals in the United Kingdom were infected, which forced many of those hospitals to reduce services, cancel certain operations and turn away all but emergency patients.
Federal lawmakers also wanted to learn more about the operation of the Healthcare Cybersecurity Communications Integration Center (HCCIC), which was established to strengthen engagement across HHS operating divisions and enhance public-private partnerships through regular outreach with the healthcare industry.
Scanlon said the HCCIC is the central location for public health sector information sharing and HCCIC played an integral role in HHS’ coordinated response to the recent WannaCry incident. “In the recent WannaCry mobilization, HCCIC analysts provided early warning about the impact to health care. This was first time a cyber attack was the focus of a mobilization.”
Scanlon said beginning the day of the outbreak and peaking over the following several days, HHS took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public-and private-sector response efforts. The HHS Deputy Secretary’s designee for cybersecurity and an official from ASPR took primary lead, with other relevant department operating divisions providing support as necessary, he said.
Initial feedback from both the department and from the health care sector has generally concluded that the department’s response, and therefore its cyber threat preparedness strategy as envisioned in its report, was effective, Scanlon said.
However, when Rep. Chris Collins (R-NY) asked the HHS leaders what the U.S. is doing better than the UK that it avoided the damaging effects of the WannaCry attack, specifically with the question, "Was there something that we’re doing better, or is just good luck?, Scanlon replied, "Part of it was probably good luck."
He added, “There is a great deal of analysis going on, and there was a point in time where the effect of the attack changed. We don’t believe we were spared the impact, from everything we’ve seen,” he said, referring to reports that some healthcare organizations that are still vulnerable to the malware.
Collins also asked what healthcare technologies, from electronic health records to medical devices and telehealth, are the most vulnerable.
“That’s an important question. The healthcare sector is somewhat unique as its particularly sensitive to the phenomenon of the Internet of Things (IoT), and you have devices that were not developed with the intention of being on the Internet or to talk to other devices when they were designed, yet they are. This presents a problem in that, typically, we can patch our systems without difficulty, we can roll out automatic patches, but you can’t quite do that in a hospital when you don’t know the impact of that patch in an operating room or a medical device that is unique in the way it was designed and structured. So, the healthcare sector has a different type of vulnerability that requires a lot of thought and effort to try to address. Part of the problem in the WannaCry incident is that the devices that were unpatched were impacted by this in a severe way and the difficulty of getting those patches to [those organizations] was profound.”
Scanlon said one of the responsibilities of HHS was to spread best practices to the private sector and inform healthcare organizations about the resources that may be available. “The development of communications in this area is very important to us. During WannaCry, we discovered there is lot to be learned as far as information sharing and alerting. The sector is diverse and disparate, there is no one single channel to broadcast out to. We need to find ways to reach down into smaller organizations,” he said.
The HHS leaders acknowledged that small and medium-sized healthcare organizations have a critical need for cybersecurity information and resources. Scanlon said during the WannaCry incident, the HCCIC produced “one pagers” to answer questions from small organizations on issues such as, “How do I patch? How do I detect? What should I look for?”
“We were able to provide this information in real-time to folks who don’t have sophisticated cybersecurity teams, and we look forward to continue to do that. I’d like to mention that I once spoke to an administrator at the Indian Health Service, and he said to us, “We know there is social engineering and we know they are phishing us, and what we don’t know is, what we should do about it.’ We are committed to answering those questions,” Scanlon said.
Several members of the House subcommittee voiced concerns about the negative impact of cybersecurity regulations on healthcare organizations, pointing out that complying with numerous and disparate regulations can be a legal and technical burden on hospitals, health systems and medical practices. Rep. Ryan Costello (R-Pa.) cited the need to align and streamline cybersecurity regulations. Other members of the subcommittee said that penalties from the Office of Civil Rights and the data breach portal “Wall of Shame” was, in effect, “victimizing the victims.”
Emery Csulak, chief information security officer and senior privacy official, Centers for Medicare and Medicaid Services (CMS) and co-chair of the Health Care Industry Cybersecurity Task Force, said the task force highlighted these points in its report: “the harmonization of the regulations is a key piece and a key challenge of that.” “Even before the task force report, we had already discussed these challenges in the [HHS Cybersecurity Leadership and Cybersecurity] working group, really looking at the potential negative impact of regulations and how to change this from negative to a positive. Do we have an answer for those right now? No. We’re hoping those will come back through the working group as solutions and activities in the future.”
Scanlon said HHS wanted to review how regulations may be impeding healthcare organizations’ ability to shift from a cybersecurity focus based merely on compliance to a risk management approach, as outlined in the National Institute of Standards and Technology (NIST) cybersecurity framework.
Regarding information and threat sharing, Rep. Mimi Walters (R-California) said concerns have been raised by healthcare organization leaders regarding the liability protections provided by the Cybersecurity Information Sharing Act of 2015. Many healthcare leaders have doubts about whether they have liability protection when submitting information to HHS.
“That is a widespread belief and it’s not correct,” Scanlon said, citing strong protections under HIPAA that encourage the sharing of indicators and defensive measures and identify what information should be shared. “We’re working with legal teams to develop plan language descriptions about those protections and how they work,” he said.