The Department of Health and Human Services’ new national cybersecurity intelligence-sharing clearinghouse appears to duplicate the role of similar entities in the federal government and in the private sector, say key lawmakers and some leaders in the health care industry.
Critics say the creation of the Healthcare Cybersecurity and Communications Integration Center, or HCCIC, is moving the goalposts for the industry, which was answering the U.S. government’s call to create a private-sector cyberthreat-sharing ecosystem. HCCIC is being modeled after the Department of Homeland Security’s 24-hour watch center, the National Cybersecurity and Communications Integration Center, or NCCIC — and some fret it may duplicate its functions.
Defenders of the new clearinghouse are playing down the idea that HCCIC might be redundant. They argue it can provide a depth of specialist knowledge about the health care sector DHS lacks, and that the industry’s own membership-based information sharing organizations cannot match the universal service HCCIC will provide.
The health care industry “feels that they answered the rallying cry” from the government to share cyberthreat information, and are now “getting the rug pulled out from under them,” Daniel Nutkis told CyberScoop.
ISAOs already in action
Nutkis, the CEO of HiTrust Alliance, a non-profit information-sharing and analysis organization, or ISAO, testified this week before the Senate Homeland Security and Governmental Affairs Committee.
Immediately following the hearing, committee leaders wrote to HHS Secretary Tom Price, asking a series of pointed questions about the HCCIC, and its relationship to NCCIC.
HHS officials declined to comment. “We will respond to the senators, but not through you,” a spokesman told CyberScoop.
The government called for ISAOs to be formed in President Obama’s February 2015 cybersecurity executive order, and the GOP-controlled Congress backed him up at the end of the year by legislating a liability safe-harbor for companies sharing cyberthreat information with approved government agencies in the Cybersecurity Act of 2015.
The act also cemented DHS at the center of federal cyberthreat-dissemination efforts and mandated the department to establish a real-time, automated system for sharing such data, called AIS — which it did last year.
Nutkis says HiTrust and other private sector organizations were with the program. “We feel like the market responded,” he said.
Securing the agreement of HiTrust’s large and various membership to participate in AIS was “a very heavy lift,” given the legal questions that hovered over the system, he said.
AIS integrates private sector partners into the NCCIC, which was designed to be a single federal clearinghouse for cyberthreat intelligence sharing. The National Health Information Sharing and Analysis Center, a Florida-based membership organization, is also represented through NCCIC, Nutkis said.
“We’ve been innovative,” he said of the decade-old HiTrust Alliance. “We’ve been assessing [our performance], we’ve been responsive” — for instance to the call for better services to the smaller health care providers, offering a pared-down version of their service for free, and a “high-tech, low-touch” product for health care providers that cannot afford to employ cybersecurity professionals.
“They talk about partnership,” Nutkis complained of HHS officials, “If there was partnership, they would come and ask us, ‘Where are the gaps … where are the missing capabilities that we can help provide?'”
Instead, many in the industry, himself included, learned about the creation of HCCIC through the media, he said.
“There’s no partnership there,” Nutkis said.
Time for a shift?
“We think we’re doing a good job,” Nutkis said of the sector’s efforts on cybersecurity. That’s not a widely shared view.
“In one year, health care went from being an accidental target of ransomware, like the Hollywood Presbyterian Hospital was, to the number one target,” said Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and a founder of the white-hat hacker collective I am The Cavalry.
Corman agrees with Nutkis that there needs to be a discussion about the different roles of the public and private sector in health care cybersecurity, but there the agreement ends.
“It’s obviously self-interested,” he said of Nutkis’ criticisms of HCCIC. “The threat landscape has changed completely … historic initiatives [like HiTrust] filled a void the government left, and they shouldn’t be brushed aside, but there may be better ways to serve” the sector.
Corman was a member of a task force HHS convened in response to a mandate in the 2015 cybersecurity law.
“In any public-private partnership, certain things belong best in the government’s hands … It’s a matter of debate,” he told CyberScoop.
“The bigger question is: Can a single [private sector] center do this better and instead of the federal government?” He said that the ISAO ecosystem was “nebulous and nascent … No two ISAOs are the same, there are very different levels of maturity.”
Corman acknowledged that there are questions about the new HHS center and its relationship with NCCIC and other existing information-sharing initiatives.
In their letter to Price, Republican Sen. Ron Johnson of Wisconsin, chairman of the Homeland Security Committee, and Ranking Member Sen. Clare McCaskill, a Democrat, ask nine questions about the need for the center; its relationship to NCCIC and other DHS components like the U.S. Computer Emergency Readiness Team; whether it will be covered by the liability protections in the 2015 act; how it will relate to ISAOs; and how the center fits into the department’s role as a regulator.
“Those are all fair questions and they deserve answers,” said Corman. The letter gives the department until July 12 to respond.
You can read the letter below.