The U.S. Department of Health and Human Services officially opened its Health Sector Cybersecurity Coordination Center (HC3), putting an end to the much troubled Healthcare Cybersecurity Communications and Integration Center.
Yes, they are different beyond just a new name. Whereas HCCIC was intended to be a standalone entity partnering with NH-ISAC, HC3 will work with more stakeholders, including the Department of Homeland Security to advise on cybersecurity information sharing within the healthcare sector.
WHY IT MATTERS
“The HC3 is a vital capability for the early detection and coordination of information between the private sector and the federal government, and with cyber professionals across the federal government,” Jeanette Manfra, assistant secretary for cybersecurity and communications in DHS, said in a statement.
Along with HC3, HHS has developed a coordination center to coordinate activities across the sector and to report to DHS on threats.
HCCIC was launched in April 2017 with overwhelming Congressional support, as part of a partnership with NH-ISAC. It played a critical role to the industry’s response to the global WannaCry cyberattack in May of the same year.
“The threat has changed, the problem has changed,” Scanlon told the House Energy and Commerce Committee following the attack. “There are matters that need to be brought to light … Organizations are now being attacked on a level they aren’t capable of handling on their own.”
But after HHS Deputy CISO Leo Scanlon presented results from the attack, HCCIC quickly began to unravel.
In July, it was announced HHS would move the HCCIC The Communications Security, Reliability and Interoperability Council to Atlanta, shifting the external cybersecurity interface outside the confines established by HITRUST.
By September, Scanlon and HCCIC Director Maggie Amato were abruptly sidelined. Amato resigned shortly afterward, while Scanlon stayed on to clear their names. The House began investigating their admin leave (allegedly over ethics violations) in November 2017, accusing HHS of retaliating against Scanlon and Amato for whistleblowing.
A report on that investigation was due in September 2018, but it’s yet to be released.
By March, Scanlon reported that the HCCIC was decimated, claiming HHS had abandoned the committee made with HCCIC. “That was a big loss for NH-ISAC, which has no partnership,” Scanlon told Healthcare IT News at the time.
At the time, Wlaschin told Healthcare IT News that the situation wasn’t as dire as all that and that HCCIC was still working with NH-ISAC and other cybersecurity partners.
The assertions then continued into June 2018, where House and Senate committees railed against HHS, saying HCCIC was so unstable staff didn’t know if it existed. Those committees gave HHS a June 2018 deadline to address their concerns, which went unanswered.
THE BIGGER TREND
This week’s launch of HC3 confirms Congress’ and Scanlon’s assertion: HCCIC is dead.
HCCIC’s role was laid out in Executive Orders and Presidential Policy directives and is also mandated to work with NH-ISAC on cybersecurity. Meanwhile, much of HHS cybersecurity role was shifting to the HHS Office of the Assistant Secretary for Preparedness and Response.
Also of note: the CIO has no authority to provide cybersecurity support to the private sector — that role resides with ASPR. As part of a reauthorization bill in September, HHS was mandated to house HCCIC in ASPR and tasked ASPR with cybersecurity for the sector.
While ASPR embraced its new role, it wasn’t staffed to support cybersecurity. Much of this role is outlined in a 2014 Congressional inquiry. Not to mention, there’s been a host of IT leadership quietly leaving the department or being reassigned.