High Hopes for HHS Cybersecurity Center

Stakeholders react to news that HHS will launch a healthcare cybersecurity center this summer.
By @JennHIStalk

While administrations may change and legislation come and go, the need for cybersecurity across healthcare’s many verticals seems to be a constant that will remain with the industry for the foreseeable future. News that HHS will create a Healthcare Cybersecurity Communications and Integration Center this summer highlights the federal government’s commitment to helping providers, payers, vendors, and (hopefully) patients prevent data breaches that could impact patient safety.

Modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, the new HHS center helps to fulfill the Cybersecurity Information Sharing Act of 2015, part of a broad initiative under the Obama administration to bolster the government’s offensive and defensive cybersecurity capabilities.

“HCCIC establishes the mechanism to provide proactive and anticipatory analysis of cyber threats to both HHS and the healthcare and public health sector,” says an HHS spokesperson. (The department declined a formal interview.) “The HCCIC will act as a clearinghouse to drive healthcare-relevant cyber indicators, briefings, and actionable intelligence to and from a wide variety of stakeholders – both public and private. HHS aims to begin initial operations this summer.”

The timing is apropos given the impending release of a report authored by the Health Care Industry Cybersecurity Task Force, a CISA-mandated group put together last spring tasked with:

• Analyzing how other industries have addressed cybersecurity threats.
• Reviewing the security challenges associated with networked medical devices and software connected to EHRs.
• Developing and circulating cybersecurity best practices.
• Establishing a plan the government can use to freely share real-time intel regarding healthcare cybersecurity threats.

While HHS would not confirm the HCCIC will help to implement the task force’s recommendations, one can only assume that the two resources will converge to some degree. Industry stakeholders are of course eager to collaborate and benefit from the new center’s deliverables, which are yet to be fully determined.

“We are anxious to begin to see actionable data coming out of the HCCIC, including threat and vulnerability,” says Marc Probst, CIO of Intermountain Healthcare (UT), which formed a cybersecurity center last year with the University of Utah and several other partners. “The HHS goals around information sharing and analysis align perfectly with our organization and several that we are working with,” he adds. “We are anxious to contribute and develop automated feeds for the HCCIC.”

While emphasizing that long-overdue federal cybersecurity risk assessment and risk management efforts will provide good implementation guidance, Probst and his colleagues are reluctant to see cybersecurity become a compliance effort or a certification program. “Many of those currently participating are vendors or people with a product to sell,” Probst explains. “We hope the committees and chairs will seek more payer and provider participants.”

While selling a product to providers in need would surely be seen as a positive outcome for any vendor involved, Divurgent CISO Stephen Watkins sees the benefit of an HHS-sponsored cybersecurity center as one of cohesive collaboration. “For advisory and consulting services organizations like ours,” he says, “these centers allow us to share and contribute our strategic, operational, and tactical insight from the field as well as act as both sounding boards and feedback loops for best-practice implementation guidance from the HCCIC, especially for small providers that may not have in-house IT security staff.”

Real-time cybersecurity guidance to the healthcare community will surely be welcome in light of today’s constant stream of data breach announcements, which have become so banal as to no longer incite the media hysteria it first engendered a year or two ago. While it may be too much to hope the center and its collaborators can help providers, payers, and vendors stay ahead of constantly evolving cyber threats, stakeholders no doubt hope HCCIC resources will become some of the strongest defenses in their cybersecurity arsenal.