Cyber threat sharing program helped lead response to malware attack
A new Department of Health and Human Services cybersecurity center, designed to serve as a focal point for cyber threat information collection and dissemination in the healthcare sector, was pivotal in facilitating the HHS response to last month’s global WannaCry ransomware attack, say agency officials.
The Health Cybersecurity and Communications Integration Center (HCCIC) was an integral part of the agency’s coordinated response to the recent WannaCry incident, providing analysis on the ransomware threat and its impact, according to Steve Curren, director for the Division of Resilience in the Office of Emergency Management at the HHS Office of the Assistant Secretary for Preparedness and Response.
Despite the good initial experience, HHS and the cybersecurity center have a long way to go before the center becomes an effective tool for the nation’s healthcare providers, congressional leaders and HHS officials agree.
When the massive WannaCry attack hit dozens of hospitals in the United Kingdom, the HCCIC “engaged the broader healthcare sector and ensured that IT security specialists had the necessary information to protect against, respond to and report intrusions,” Curren testified before a congressional hearing last week.
“This effort included calls with up to 3,100 participants each, daily messages with answers to frequently asked questions, resources from other federal departments and agencies, and guidance on how to report attacks,” he added. “While this was the first time HHS had organized itself in this way for a cybersecurity incident, we believe that it has set a standard on how to manage cybersecurity incidents in this era of heightened consequences.”
Leo Scanlon, HHS deputy chief information security officer, noted in his testimony that the HCCIC is “designed to be the central location for healthcare and public health information sharing and will allow HHS to extend internal threat sharing and analytic capabilities to our federal partners, law enforcement and intelligence,” as well as the private sector.
The new center is slated to achieve initial operating capability at the end of the month, with full technical capabilities in place.
Scanlon said the most important “outputs” of the HCCIC are “products and guidance that are human-consumable by entities that do not have the sophisticated technology that support machine-speed reactions to threat indicators.” He described an enormous “fire hose of information that ultimately must be analyzed by people, by analysts who are specialists that can interpret, understand and put context to this information—that’s best carried out in a collective environment where people sit together and can communicate in real time.”
In the case of the WannaCry attack, Scanlon contended that HCCIC analysts provided early warning of the potential impact of the ransomware, and HHS responded by putting the Secretary’s Operations Center on alert.
“This was the first time that a cyber attack was the focus of such a mobilization,” and HCCIC was able to support the HHS Office of the Assistant Secretary for Preparedness and Response’s interactions with the sector by providing real-time cyber situation awareness, best practices guidance and coordination with other agencies, added Scanlon.
“The experience has provided a rich set of lessons learned and has highlighted the disturbing reality that the true state of cybersecurity risk in the sector is under-reported by orders of magnitude and the vast majority of the (healthcare and public health) sector is in dire need of cybersecurity assistance,” warned Scanlon.
HCCIC, developed with the help of the Carnegie Mellon University Software Engineering Institute and modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, is meant to dramatically change how HHS handles cyber threats internally.
According to Scanlon, the HCCIC has three high-level goals:
“It was our internal decision to take the existing capabilities that we have that were set up in a disparate fashion, unite them in a common place, and take this model of threat sharing—which has now become an industry standard—and apply it to the challenge that we face,” Scanlon said. “It was an immediate response in that sense to the (Cybersecurity Information Sharing Act of 2015) requirement that we develop the capacity to share threats in real time with the sector. That’s the capability that the HCCIC provided, and that was the forum that we determined was the most efficient and effective way to do that.”
The HHS Deputy CISO as the senior advisor for cybersecurity, the HCCIC and the HHS Cybersecurity Working Group “have the long-term task of assisting the sector to shift from a compliance-oriented security posture to a dynamic risk management approach,” Scanlon concluded, adding that situational awareness is the most important capability in combating a dynamic threat such as ransomware. “The value of the HCCIC is evidenced in the way that we were able to work in the WannaCry incident.”
However, Rep. Tim Murphy (R-Penn.), chairman of the House Subcommittee on Oversight and Investigations, lamented the fact that, “to date, there’s been little public information” about HCCIC and that the “various roles and capabilities of HHS have not been adequately conveyed to industry yet,” which must be the basis for public-private partnership.
At the same time, Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee, argued that while the HHS response to the WannaCry ransomware coordinated through the newly established HCCIC was generally positive, the agency has a “long way to go to demonstrate the leadership necessary to inspire change across the sector.”
According to Walden, the HHS leadership in the area of cybersecurity “needs to be open and transparent about who is in charge and provide clarity about the roles and responsibilities, not only internally but across the sector.” In addition, he contends that small practices and rural hospitals must not only know exactly who to call during cyber attacks, but they must also have “access to the resources and information to keep their patients safe.”
“The fact of the matter is many of these small healthcare organizations do not have the resources to address cybersecurity,” added Rep. Chris Collins (R-N.Y.), a member of the House Energy and Commerce Committee’s Health subcommittee. “Even more problematic, they don’t have the qualified personnel working for them to help them understand what’s even at risk.”
Scanlon acknowledged that HHS needs to “find ways to reach down into the smaller organizations.”