Written byPatrick Howell O'Neill
A bill aimed to reorganize and sharply focus cybersecurity at the Department of Health and Human Services (HHS) was reintroduced on Wednesday by Reps. Billy Long, R-Miss., and Doris Matsui, D-Calif.
The HHS Cybersecurity Modernization Act comes in response to congressional hearings on the state of cybersecurity in the health care sector. A recent federal task force report on the state of hospital cybersecurity was starkly negative in its diagnosis.
“Many organizations cannot afford to retain in-house information security personnel, or designate an information technology (IT) staff member with cybersecurity as a collateral duty,” the task force reported. “These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”
Critics say the federal effort toward cybersecurity in the health care sector lacks clear leadership and focus.
The new legislation would grant the chief information security officer increased responsibility and power and create a health care threat coordination center. It would also require the secretary of Health and Human Services to develop and submit a plan to Congress on how the HHS coordinates on cybersecurity challenges, the role of a CISO on internal HHS security versus improving health sector security at large, and on challenges the agency faces as a regulator involved in cybersecurity for the sector.
Across industries, private companies have hesitated or refused to share cybersecurity intelligence with regulators for fear of negative consequences. It remains to be seen how HHS will deal with this.
“We can always do more to boost our cybersecurity efforts, and while HHS has made some important strides in this effort, we think more can and should be done to help protect the sensitive information the department holds,” Long and Matsui said in a joint statement. “We are particularly hopeful for the results that could yield from HHS detailing such a plan and look forward to continued efforts to address potential cyber threats.”
Earlier this year, the WannaCry ransomware attack rippled through British National Health Service machines. At a June hearing, the HHS response was positively received.
“Clearly, the sector needs leadership,” said Energy and Commerce Committee Chairman Greg Walden, R-Ore. “HHS is uniquely situated to fill this void. Historically, the Department has struggled to effectively embrace this responsibility, but that trend cannot continue,” he went on, adding “The Department’s actions in response to the WannaCry ransomware — coordinated through the newly established HCCIC — have generally received praise from the sector.”
The US has seen its own share of health care cybersecurity disasters.
A hospital paid $17,000 in ransom in 2016 when hackers owned the institution’s machines with ransomware. The 40 bitcoin ransom is worth about $275,000 today. More than 158 other hospitals reported major breaches to the federal government since 2010.