HHS has officially opened the Health Sector Cybersecurity Coordination Center five months after a bipartisan group of lawmakers took HHS to task over its stuttering attempts to coordinate cybersecurity information sharing.
Known as HC3, its role is to collect information on the threats faced by healthcare organizations, look for patterns in the data and use the resulting insights to help the industry protect itself.
HHS revealed it was “building a healthcare information collaboration and analysis” center in April 2017. The idea was to create a healthcare-focused version of the Department of Homeland Security’s (DHS) National Cybersecurity & Communications Integration Center.
HHS aimed to have the center, called HCCIC, operational and coordinating internal and external communications by June 2017.
However, one year after the targeted go-live date, the three people who set up HCCIC were no longer involved with the initiative and it was unclear whether the center even existed.
“Stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it or what capabilities and responsibilities it has. Responses to committee requests to HHS for clarification on these questions remain vague at best,” a bipartisan group of lawmakers wrote in a June 2018 letter to HHS secretary Alex Azar.
HHS has now officially opened a center that has a different name than HCCIC but appears to perform a similar function. The new center, HC3, will work with cybersecurity and healthcare organizations to understand the threats faced by the industry and share information about how to counter them. HC3 will report to DHS.
The role of HC3 in coordinating the sharing of information and advice between the government and industry maps onto the vision of what HCCIC was intended to achieve. That overlap is illustrated by a description of HCCIC’s claimed role during the May 2017 WannaCry attack, when a senior official at HHS said it supported “the sector by providing real time cyber situation awareness, best practices guidance and coordination.”
WannaCry was one of many high-profile attacks against the healthcare industry in 2017 and 2018. Over that period, the healthcare sector reported more than 400 major breaches, according to HHS. If HC3 had been operational, DHS thinks many of the attacks could have been prevented.
“We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information, and the heightened importance of sharing information cannot be stressed enough,” Jeanette Manfra, assistant secretary for cybersecurity and communications at DHS, said in a statement.
The challenge now is to execute that strategy and improve HHS’ cybersecurity efforts after a period in which it has been blasted by lawmakers and embroiled in disputes with the people behind HCCIC.
It is unclear who will take charge of meeting that challenge. According to his LinkedIn profile, William Welch left HHS’ Healthcare Threat Operations Center this month to begin working as HC3 cyber engagement lead. No other LinkedIn profiles of HHS employees refer to HC3 or the Cybersecurity Coordination Center.