HHS targeting outdated regs in wake of damning cybersecurity report, WannaCry
Leveraging the Department of Health and Human Services Cybersecurity Task Force report released June 2, HHS, Centers for Medicare and Medicaid Services and the Office of the Assistant Secretary for Preparedness and Response are assessing what it can do to improve cybersecurity.
At the forefront of the agencies’ radar are regulations, as the changing threat landscape no longer matches current guidelines.
“The threat has changed, the problem has changed,” HHS Deputy Chief Information Security Officer Leo Scanlon said at Thursday’s House Energy and Commerce Committee. “There are matters that need to be brought to light… Organizations are now being attacked on a level they aren’t capable of handling on their own.”
“The regulations in place weren’t designed for current threats… Regulatory mechanisms are fundamentally challenged by threat actors who work at machine speed,” said Scanlon. “But it’s hard to avoid the place where we’re victimizing the victim.”
HHS is attempting to shift from compliance into risk identification while hoping the report will provide insight on where regulations are impeding organizations from improving cybersecurity.
CMS CISO, Senior Privacy Official and Task Force Co-Chair Emery Csulak said that the harmonization of regulation is both a key piece and a challenge of that. HHS is looking at the potential negative impact of current regulations -- like its Office of Civil Rights ‘Wall of Shame’ -- that “punish people for doing the right thing.”
HHS also plans to instate a senior advisor for cybersecurity who will collaborate with the private sector, NIST and the Department of Homeland Security to develop voluntary guidelines, chair the cybersecurity research group and act as a one-stop, point of access for HHS cybersecurity.
Although the U.S. wasn’t a major victim of the WannaCry ransomware campaign, Congress and HHS are analyzing the data from the attack to determine the necessary improvements the government and HHS can make to its best practices to prevent a similar impact in the U.S. in the future.
“Frankly, we were largely spared from the infection that crippled the U.K’s health system: But this incident was an important test,” said Rep. Tim Murphy, R-Pennsylvania.
Murphy said HHS was vital in the U.S.’ response in the wake of WannaCry, disseminating information to the applicable organizations to help prevent the spread.
“HHS must remain vigilant: WannaCry may have been the first major attack, but it won’t be the last,” Murphy said. “HHS has the opportunity to set the tone. This is no longer about protecting patient data, but about patient safety… I shudder to think what would happen if the attack happened here.”
Even worse, Scanlon thinks the U.S. was just plain lucky that it wasn't affected as much as other countries.
“There’s a great deal of analysis to determine what happened and why,” explained Scanlon. “I don’t believe we were spared the spread: We were spared the impact.”
From unpatched IoT devices to medical devices not developed to be put online, these flaws put the U.S. health system at risk. But the WannaCry attacks highlighted the need for better communication, as Scanlon explained it’s difficult to reach all of the disparate systems without one communication channel.
Further, while other sectors can modify and patch systems without a great deal of difficulty, Scanlon said that can’t be done in a health system where the risks are unknown to patient safety.
“Over the years, nothing has challenged healthcare more than cybersecurity,” said Director of Division of Resilience for the Office of Emergency Management at HHS Office of the Assistant Secretary for Preparedness and Response Steve Curren.
These attacks lock down access to life-saving information and communication between staff. The wave of healthcare breaches have compromised the personal data of millions of individuals, said Curren. “The risk of the attacks to healthcare is confidence in the healthcare sector in general… We need to rely on these technologies, but they need to be safe.”