The Health and Human Services Department’s cyber threat center already has undergone its first test—the WannaCry ransomware outbreak—even though it hasn’t reached initial operating capability yet, HHS officials told lawmakers Thursday.
“The true state of cybersecurity risk in this sector is underreported by orders of magnitude and the vast majority of the [health care and public health] sector is in dire need of cybersecurity assistance,” Leo Scanlon, HHS senior adviser for health care and public health cybersecurity, told a House Energy and Commerce subcommittee.
The initial WannaCry attack started May 12, quickly infecting more than 300,000 computers around the world, encrypting the data and demanding payment. In the U.K., the ransomware disrupted National Health Service systems, forcing hospitals to reschedule appointments and operations.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
HHS opted to respond to the cyberattack the way it would a natural disaster: It tapped the Office of Assistant Secretary for Preparedness and Response to reach out to its network of private-sector partners.
“You don’t exchange business cards during an emergency,” Steven Curren, ASPR’s Division of Resilience director, told lawmakers.
The department’s also mobilized its relatively new unit for sharing cyber threat information, the Healthcare Cybersecurity and Communications Integration Center, for the first time. HCCIC provided the “situational awareness” from other agency partners including other cyber teams within the Homeland Security Department, Scanlon said.
ASPR and HCCIC set up calls—one with more than 3,000 open lines—and worked on pumping out one-pagers of information designed for people whose first job is likely not cybersecurity.
Although Homeland Security Secretary John Kelly recently said the number of compromised U.S. systems was “miniscule,” HHS is still dealing with the fallout. Though the encryption part of WannaCry has been largely diffused, Scanlon explained it continues trying to infect certain systems and can knock them offline. Patches have largely stopped the spread of WannaCry, but they don’t help already infected systems.
Lawmakers asked why there seemed to be less impact on the U.S. health care sector than on other countries.
“In part, it was probably good luck,” Scanlon said.