HHS’ Cyber Threat Center Comes Out of Beta Soon

The Health and Human Services Department’s nascent cybersecurity center will soon reach initial operating capability to help share threat information with a sector constantly under attack and often short of cyber personnel of its own.

Based on the Homeland Security Department's National Cybersecurity and Communications Integration Center, the Healthcare Cybersecurity and Communications Integration Center will share health-care specific threats information with other agencies and the private sector. The center expects to reach initial operating capability June 30, HHS officials told the CyberSecureGov audience in Washington on Thursday.

“Relatively speaking, we're the new kids on the block playing in the biggest and toughest neighborhood at the moment,” Leo Scanlon, HHS senior adviser for health care public health cybersecurity.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Scanlon painted a grim picture of the challenges health care organizations face: rising ransomware attacks on organizations of all sizes, the difficulty to secure medical equipment never intended to be connected to the internet, and valuable data without cybersecurity staff to protect it.

“How many mortuaries do you think have a cybersecurity officer protecting their systems?” Scanlon asked. “Guess what's in a funeral home? The entire life history of every single person whose body is passing through medical records—cause of death, time of death, place of death. Everything you need to create an identity.”

Only about 2 percent of the sector—the insurance and pharmaceutical companies—have the resources and the know how to protect their data and share information with each other.

“Below the 2 percent is 98 percent of the rest of the sector that has virtually no cybersecurity capability, often not even a CIO in a small- or medium-size medical practice,” Scanlon said.

One of the biggest challenges for HCCIC will be to drop the cyber jargon and share threat information in a way medical professionals understand how it impacts their businesses, said HCCIC Director of Operations Maggie Amato.

“My mother is a hospice nurse so she's the customer that’s always in my head,” Amato said. “So trying to explain cybersecurity to my mom is a little bit difficult. My example is that if I tell my mother we have a vulnerability, she’ll give me a tissue and tell me it’s OK to cry.”

The center plans to put out how-to or step-by-step guides and is exploring the idea of a 311-style line to help private-sector partners, she said. But that’s down the line.

While the center has been in “beta mode,” it’s been building more collaborative relationships with HHS’ many component agencies, like the Food and Drug Administration and the Centers for Medicare and Medicaid Services. The center’s also been getting best practices and lessons learned from NCCIC while also building partnerships with other health care-focused agencies, such as the Defense Health Agency and the Defense and Veterans Affairs departments.

“We really do want to get to a place where we are collaborating with each other and cooperating across the board; having dynamic threat sharing and not just automated indicators but how-to guides,” Amato said.