HHS activities to enhance cybersecurity

 

This document provides an analysis of the Department of Health and Human Services’ (HHS) cybersecurity activities in response to Section 10(b) of Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” EO 13636 establishes federal policy to improve information sharing and develop and implement risk-based cybersecurity standards across critical infrastructure sectors, including development of a Cybersecurity Framework. Section 10(a) of EO 13636 requires agencies with responsibility for regulating the security of critical infrastructure to review the Department’s regulatory and non-regulatory cybersecurity  programs in light of the Cybersecurity Framework to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.  HHS’s response to Section 10(a) was submitted to the National Security Council on February 11, 2014.  It concluded, “All of the regulatory programs identified [in the HHS Section 10(a) analysis] operate within particular segments of the [Healthcare and Public Health] Sector, due to their own distinct legislatively-defined jurisdictions and purposes. Expanding any or each of these authorities solely to address cybersecurity issues would not be appropriate or recommended.”

 

Section 10(b) requires, “If current regulatory requirements are deemed to be insufficient…agencies identified in sub-section (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions…to mitigate cyber risk.”  While HHS has concluded that the Department’s current regulatory authorities are sufficient, the Department is implementing a number of non-regulatory activities to enhance the cybersecurity of private sector critical infrastructure partners.  This submission describes those activities.

 

Under Presidential Policy Directive 21 (PPD-21), HHS has Sector-Specific Agency (SSA) responsibility for the Healthcare and Public Health (HPH) Sector and co-SSA responsibility (with USDA) for the Food and Agriculture (F&A) Sector. HHS implements its SSA role for the HPH Sector through the Critical Infrastructure Protection Program within the Office of the Assistant Secretary for Preparedness and Response (ASPR), and its co-SSA role for the F&A Sector through the Center for Food Safety and Applied Nutrition (CFSAN) at the Food and Drug Administration (FDA). Through these programs, HHS works in voluntary partnership with public and private sector entities in the HPH and F&A Sectors to enhance their security and resilience with respect to all hazards, including cyber threats.

The HPH Sector has been taking a collaborative approach to mitigate cybersecurity risk within the Sector for the past several years, and has expanded these activities in response to the publication of EO 13636. Prior to EO 13636, the Sector identified cybersecurity risks as priorities in all of its Sector-Specific Plans and Sector Annual Reports. Realizing that more education was needed on the issue, the Sector developed a cybersecurity primer. The primer addressed the predominant types of cybersecurity threats and protective measures for addressing them. The Sector also included cybersecurity threat discussions in quarterly threat briefings for Sector partners and included sessions focused on cybersecurity topics at Sector semi-annual meetings. After the publication of EO 13636, the Sector distilled the primer into a fact sheet and checklist to make it more accessible to healthcare executives and increased the Sector’s cybersecurity information sharing activities through meetings, briefings, and webinars. HHS also worked with subject matter experts within the Sector to identify cyber-dependent critical infrastructure in the Sector as required by Section 9 of EO 13636, and to begin sending notifications to the identified entities in collaboration with the Department of Homeland Security (DHS).

This year, HHS has focused on increasing the Sector’s awareness of the Cybersecurity Framework and implementing the Critical Infrastructure Cyber Community (C3) Voluntary Program within the Sector. HHS announced the release of the Framework through a website posting and presented on the Framework at major national Sector meetings. These meetings included the Public Health Preparedness Summit, Healthcare Information Management System Society (HIMSS) Conference, and Public Health Informatics Conference. The Sector has also tasked its standing Risk Management Working Group to develop the Sector’s approach to the C3 Voluntary Program. The Sector’s approach will focus on the cataloging and prioritization of federal resources for cybersecurity for Sector partners to access.

HHS is supporting efforts to strengthen the cyber security collaboration and coordination activities across the healthcare and public health sector. HHS is supporting the development of monthly joint briefings and sharing cyber threat data with some public entities in the HPH Sector to include payers, providers, hospital systems and pharmacies.  By sharing the cyber threat data widely within the healthcare ecosystem we increase the likelihood that we will be able to better withstand a cyber attack and or ward them off more successfully.  The recent spate of large-scale information system and data compromises makes this initiative all the more timely as would-be attackers realize the value of the Personally Identifiable and Personal Health Information stored within the healthcare arena. The intent of this public and private collaboration is to improve the information security posture of the entire healthcare ecosystem and improve our collective ability to deter and remove malicious actors from our networks, data, and IT infrastructure.

Several Sector members have increased their own cybersecurity activities based on the cyber threat information they have received from Sector partnership activities. One example of this is the American Hospital Association (AHA), which has been working to increase awareness of cyber threats among hospital executives and to provide them with resources to address these threats within their organizations. AHA has provided a series of threat briefings and teleconferences on cyber threats to their members, which have been supported by presentations from the HHS Critical Infrastructure Protection Branch, DHS, National Security Council staff, and others. AHA has also developed written materials to assist their members in addressing the threats discussed during the briefings.

 

Pursuant to its authorities under the Federal Food, Drug, and Cosmetic Act (FFDCA), FDA published the following guidance on cybersecurity of medical devices:

Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software (issued Jan. 14, 2005), available at http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm.

FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks (issued June 13, 2013), available at http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm.

Draft Guidance for Industry and FDA Staff: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" (issued June 14, 2013) available at http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356186.htm.

 

Under the Secretary’s authority to manage the Department, the Office of the Chief Information Officer (OCIO) operates the HHS Cybersecurity Program, an enterprise-wide information security and privacy program to help protect HHS against potential information technology threats and vulnerabilities. The Program ensures compliance with federal mandates and legislation including the Federal Information Security Management Act and the President’s Management Agenda; plays an important role in protecting HHS's ability to provide mission-critical operations; is the cornerstone of the Department’s IT Strategic Plan; and is an enabler for e-government success. See http://www.hhs.gov/ocio/securityprivacy/index.html.

The federal healthcare partners, the HHS Office of Information Security, Department of Veterans Affairs Network Security Operations Center, and the Space and Naval Warfare System Center Atlantic’s Network Security Operations Center, have established the Healthcare Threat Operations Center (HTOC). The HTOC brings together the strengths and expertise of each organization to actively improve the partnership’s collective computer security and incident response capabilities. Through appropriate coordination, collaboration, and resource sharing, the federal healthcare partners will achieve greater success in reaching their organizational goals, improving the cybersecurity posture of the healthcare sector, and serving more effectively as stewards of public resources.

 

HHS continues to strengthen its partnerships for addressing cyber threats to the HPH Sector. The Department works closely with the National Cybersecurity and Communications Integration Center (NCCIC), and is represented on the Cybersecurity Unified Coordination Group. In 2013, the Department finalized a Cyber Security Incident Response Plan Concept of Operations (CONOPS). The CONOPS addresses roles and responsibilities for cyber incident response within the Department, defines activation levels for cyber incidents, and describes response actions to be taken by HHS components. The scope of the CONOPS encompasses cyber threats to internal HHS systems as well as those affecting the HPH Sector at large. HHS exercised the CONOPS in 2013 as part of the Cracked Domain functional exercise sponsored by the NCCIC. Under the exercise, HHS coordinated communication on a cyber threat internally within the Department, with the NCCIC, and with a group of state and private sector partners who were participating in the exercise.

HHS also participates in CyberRx, a series of industry-wide exercises to simulate cyber-attacks on healthcare organizations in order to evaluate the industry’s response and threat preparedness against attacks and attempts to disrupt U.S. healthcare industry operations. These exercises are conducted in partnership with HITRUST, HHS, and healthcare industry organizations. The exercises examine both broad and segment-specific scenarios targeting information systems, medical devices and other essential technology resources of the HPH Sector. CyberRX findings are analyzed and used to identify areas for improvement in Cyber Threat Intelligence and Incident Coordination; with security and incident response programs; and in information sharing between healthcare organizations, healthcare cybersecurity sharing organizations, and government agencies.