The Department of Health and Human Services' Office of Strategic Preparedness and Response is considered HHS's “one-stop shop” for addressing cyber issues facing the medical and public health sectors.
But Brian Mazanec, deputy director of ASPR's Readiness Center, said that doesn't mean his organization handles all of HHS' healthcare cybersecurity issues.
“This simply means we have a leading role in terms of really integrating all the tools and resources that this department provides specifically to help with cybersecurity and cyber hazards,” Mazanec said in a recent interview. , which means he's playing the role of quarterback.” “Unfortunately, there is a lot of work to be done as the frequency, sophistication of threats, and the elements of the field under attack continue to increase.”
According to the FBI's Internet Crime Complaint Center, the healthcare sector is the top target for ransomware attacks. The ransomware raid of payment provider Change Healthcare in February transformed healthcare operations across the healthcare sector, shining a spotlight on the sector's cyber vulnerabilities and fueling calls for reform.
But even before the Change Healthcare ransomware attack, HHS had already laid out plans to expand ASPR and its role as the healthcare sector's “sector risk management agency.”
ASPR subsequently established a cybersecurity division within the Critical Infrastructure Protection Agency. Mazanec said this division is the focus of ASPR's cyber work with this division. The department has hired “the first batch” of federal employees, he said.
Mazanec said one of the cyber division's core responsibilities is incident response. For example, if a large hospital were to suffer a cyberattack, ASPR's team would work with the FBI and the Cybersecurity and Infrastructure Security Agency to respond and provide support.
Mazanec said ASPR will help hospitals address how to deal with the fallout from cyber incidents, including the possibility of transferring patients to other facilities.
“We go into the field and figure out what the impact is on the patient, what systems are down, what is potentially helpful or can be monitored, and what are the implications for those patients? We are trying to understand what we can offer to take further steps to alleviate it again,” Mazanec said. .
ASPR can also call on other parts of the organization, such as the HHS-sponsored Medical Reserve Corps, to help hospitals and other healthcare organizations recover from serious cyber incidents.
“These can be a good source of staffing support because when you go into a downtime procedure, you're often doing the kinds of things that are more manual intensive, like paper records.” said Mazanec. “As such, we are able to facilitate connectivity to local MRC departments. We may be able to assist you.”
ASPR also leverages grant funding to drive cybersecurity improvements for facilities funded under the Hospital Preparedness Program.
“With respect to the latest cooperation agreements and funding that we just distributed to the coalition a few weeks ago, we were very intentional about incorporating cyber into the funding opportunity notifications and into those cooperation agreements,” Mazenek said. spoke.
Mazanec said that in addition to hospitals, ASPR also focuses on third-party risks, such as the dangers posed by relying on large providers like Change Healthcare. He said ASPR is currently working on risk assessments for new sectors as part of a new national security memorandum on critical infrastructure.
“A big part of that is looking at systemic risk and third-party risk,” Mazenek said. “And the NSM also tells us to develop sector-specific plans based on that risk assessment. . . . So we're going to go, 'Okay, here's our risk posture.' How can we attack these critical entities, help them improve, and ensure the entire ecosystem is as secure and resilient as possible?”
Another important aspect of ASPR's cyber division is “communications and education,” Mazanec said. This includes internal communications across HHS, with organizations ranging from the Office of the Chief Information Officer to the Food and Drug Administration handling various aspects of healthcare cybersecurity.
But Mazanec said ASPR is also increasing its proactive outreach to the sector on cybersecurity issues. This includes encouraging adoption of HHS's voluntary cybersecurity performance goals announced in January.
HHS recently moved its public-private cybersecurity program, known as the “405(d) Program,” under the auspices of ASPR. This information had previously leaked from the Office of the Chief Information Officer.
The 405(d) program helps facilitate HHS' efforts with the Health Sector Coordinating Council, a major public-private organization working across the sector on cybersecurity issues.
“We are currently undergoing that reorganization and plan to take advantage of two different channels by merging parts that were very similar and both needed to use one larger microphone. “This is a better way to reach and collaborate with the sector. I think these capabilities will be fully integrated and work better,” Mazanec said.
Healthcare Cyber Requirements
Meanwhile, HHS' Office for Civil Rights (OCR) is responsible for enforcing privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA).
However, HIPAA regulations have not been updated in over 10 years. As part of a cybersecurity concept paper released last December, HHS said it would work to incorporate cybersecurity performance goals into the HIPAA rule as a requirement.
As part of its 2025 budget request, HHS also laid out plans for a new Medicare incentive program that would encourage hospitals to implement baseline cyber protection starting in 2027. Starting in 2029, HHS will begin penalizing hospitals that fail to meet cyber standards.
Meanwhile, Congress is also introducing legislation that would establish new cyber requirements for the healthcare sector.
Although ASPR is not responsible for establishing cyber requirements, Mazenek said his organization is “part of the conversation” as a sector risk management body.
“We are working as quickly as possible in a very complex ecosystem and situation with various authorities,” Mazanec said. “We are working with our colleagues on the Hill to discuss and consider additional new authorities that would make sense in this area.”
Copyright © 2024 Federal News Network. Unauthorized reproduction is prohibited. This website is not directed to users within the European Economic Area.
