FEDS GET DINGED FOR SUBPAR HEALTH-CARE CYBERSECURITY
By James Swann
(Bloomberg Law) -- Confusion and an overall lack of coordination are hampering the federal government's efforts to secure health-care data, a bipartisan group of lawmakers said.
The group of House and Senate panel leaders said the absence of a coherent cybersecurity strategy puts government health-care programs at risk of potentially crippling attacks that could expose millions of patient records.
The Department of Health and Human Services needs to update its cybersecurity plans and explain how it's coordinating efforts among various agencies, according to a letter released June 5 by members of the House Energy and Commerce Committee and the Senate Health, Education, Labor, and Pensions Committee. The letter was signed by Energy and Commerce Chairman Greg Walden (R-Ore.) and ranking member Frank Pallone Jr. (D-N.J.) and Senate HELP Chairman Lamar Alexander (R-Tenn.) and ranking member Patty Murray (D-Wash.).
The HHS has failed to provide Congress with a complete accounting of cybersecurity efforts and a center devoted to coordinating HHS cybersecurity may not be operational, the letter said.
"HHS's decision to present to our committees a report that was outdated, incomplete, and inaccurate raises concerns about HHS's ability to address the growing number and severity of cyber threats facing the health care sector," the letter said, referring to a report on cybersecurity efforts that the HHS delivered to Congress last year.
The lawmakers asked the HHS to provide an update on the department's cybersecurity efforts by June 19. The response to the letter will help identify how Congress and the HHS can work together to tighten health-care cybersecurity, an Energy and Commerce staffer told Bloomberg Law. The committee hasn't decided the next step in exploring the HHS cybersecurity issue but is considering several options, the staffer said.
Problems with the HHS's cybersecurity efforts have been under the microscope for the past few years, Laura Hammargren, a health-care attorney with Mayer Brown LLP in Chicago, told Bloomberg Law. The HHS Office of Inspector General released an audit report in December 2017 pointing to HHS cybersecurity vulnerabilities, for example, and the current letter signals even more concern, Hammargren said.
The apparent lack of action by a new cybersecurity coordination center was especially troubling, according to the letter. The Healthcare Cybersecurity and Communications Integration Center was supposed to be operational last June, but committee staff couldn't determine whether the center still exists, what responsibilities it has, or who's running it.
The HHS's most recent Cyber Threat Preparedness Report didn't even mention the HCCIC, the letter said.The HHS is required to report to Congress on its cybersecurity efforts as part of the Cybersecurity Information Sharing Act of 2015.
The HCCIC is designed to strengthen cybersecurity coordination across the various HHS agencies as well as improve overall cybersecurity awareness among the public. The HHS didn't respond to a request for comment on the status of the HCCIC.
There's a perception that the HHS penalizes health-care institutions that have been subject to cyberattacks more than it supports the sector in combating these threats, Marcy Wilder, a health-care privacy and cybersecurity attorney with Hogan Lovells in Washington, told Bloomberg Law.
The HCCIC was supposed to facilitate information sharing on cyberthreats and provide industry guidance, and the HHS needs to clarify how it carries out its dual roles as an enforcer and a protector, Wilder, who previously served as deputy general counsel at the HHS, said.
The HCCIC appears to be more aspirational than reality-based at this point, judging by the letter's comment that the two senior HHS officials responsible for the center were reassigned in September 2017, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg Law.
"A bipartisan, bicameral letter questioning whether HHS's collaboration and analysis center for cybersecurity actually exists, or what it's doing if it does technically exist, is remarkable and alarming," Fader said.
The letter should serve as a wake-up call to HHS Secretary Alex Azar that the agency's attention to health-care cybersecurity needs immediate improvement, Fader said.
Lack of Communication
The letter's finding may simply reflect communication between the HHS and Congress on the good work the HHS has been doing with cybersecurity, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law.
The HHS has done a significant amount of work to strengthen health-care cybersecurity, including issuing an industry cybersecurity task force report in 2017, and providing a grant to ensure information sharing about cyber events available to all health-care sector entities, Peters, a former deputy director for the HHS Office for Civil Rights, said.
The HHS also did a great job in response to 2017's WannaCry cyberattack, including holding multiple daily briefings for health-care sector entities from the HHS Assistant Secretary of Preparedness and Evaluation, Peters said. The May 2017 WannaCry attack hit hundreds of thousands of computers worldwide and crippled more than 16 British hospitals, though it had little impact on the U.S health-care sector.
Confused cybersecurity efforts at the HHS make it difficult to tell how high the risk of attacks really is, Hammargren said. The congressional letter talks about a lack of documentation and explanation of cybersecurity processes and procedures, which may mean that a process exists but hasn't been set forth clearly.
However, the letter also refers to the HHS having a fluctuating cybersecurity strategy, which may be cause for concern, Hammargren said.
"It may speak to some lack of a clear direction for these issues, which feels like a risk in and of itself, as systematic processes for identifying threats and addressing them is one of the most important steps in securing health-care data," Hammargren said.