HHS Relaunches Cyber Organization to Assist Health Care Market

HHS launched HCCIC in June 2017 to serve as a health care information collaboration and analysis center, similar to the National Cybersecurity and Communications Integration Center (NCCIC) at DHS. However, the organization’s role led to confusion and mission overlap.  Additionally, the center suffered from multiple leadership changes and allegations of fraud and contracting improprieties.  

Numerous cybersecurity leadership changes plagued HHS and HCCIC over the past year. Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato were reassigned in September 2017.  Amato has since resigned. Department CISO Chris Wlaschin stepped down in March 2018 and was replaced by Janet Vogel, previously the Deputy CIO at CMS.

In June 2018 a group of lawmakers wrote a joint letter to HHS Secretary Azar voicing concern over the department’s overall cyber capabilities and the status of HCCIC. Members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions cited leadership changes as one of their top concerns. “HHS’s removal of senior HCCIC personnel has had undeniable impacts on HCCIC and HHS’s cybersecurity capabilities.”

The launch of the HC3 organization appears to be in response to lawmaker concerns, and to clarify its mission with the health sector and stakeholders. Unlike its predecessor, HC3 focuses on cybersecurity threats and vulnerabilities in the national health sector.  It is not focused on internal cybersecurity, but instead on the external threat environment for the health industry.  Vogel told Federal News Network the organization does, “however, take information collected by agency bureaus or by other federal partners and shares them with external stakeholders.”

According to a report by cybersecurity software company Protenus, there was an average of at least one health data breach per day throughout 2017.  HHS and the media reported 477 health care breaches which affected more than 5.6 million patient records in 2017.  HC3 aims to fill an industry need for providing accurate, useful cyber threat intelligence to the health care marketplace to combat this threat environment. 

HHS is building on its experience with the WannaCry incident in 2017, according to Vogel. HHS learned through that experience that it could effectively link internal information with external communication to respond to national cyber incidents within the health industry. The experience also allowed the organization to put lessons learned into practice by improving outreach capabilities and operating procedures.  It has built beneficial relationships with the Health Information Sharing and Analysis Center (HISAC) and HITRUST.   

As HC3 builds and strengthens its resources and offerings, contractors may find opportunities to assist them with cybersecurity products and services, or to assist health sector organizations with their cybersecurity needs.