4 Reasons Every Hospital Should Know About HHS’ HCCIC
The HCCIC could guide hospitals and the healthcare industry as a whole into an improved cybersecurity landscape.
In May, HHS officials announced the creation of the Health Cybersecurity and Communications Integration Center (HCCIC) to little fanfare. The HCCIC is a healthcare-focused spinoff of the DHS’s National Cybersecurity and Communication Center (NCCIC), which aims to bring the private and public sectors together to improve the cybersecurity of critical infrastructure in the country.
The HCCIC’s goal is to analyze the overwhelming amount of information available on healthcare cybersecurity and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box, can do to protect his patient’s privacy and information security around [security and privacy] systems,” HHS Chief Information Security Officer Chris Wlaschin said during the announcement.
In a recent analysis by the cybersecurity think tank the Institute for Critical Infrastructure Technology, Senior Fellow James Scott argued the HCCIC’s operations are essential to improving cybersecurity in the sector.
In the report, titled HHS’ HCCIC Takes A Quantum Leap Forward To Secure The Health Sector, Scott praised government officials for “working with the industry to introduce organizational cybersecurity resiliency to the healthcare industry and move organizations away from self-regulating, checkbox-driven security standards which provide little more than security theatre.”
However, there has also been opposition to the formation of HCCIC by critics who say it is redundant and could confuse federal efforts to improve the cybersecurity of our nation’s critical infrastructure.
Here’s four reasons hospitals should take notice of the HCCIC and participate in its information sharing efforts.
1. A Healthcare Industry In Turmoil
The HCCIC has a long and difficult road ahead of it. The decision to create the HCCIC comes at a time when studies show data breaches in the healthcare industry are rising. Everyone is aware of the WannaCry malware attack on hospitals earlier this year, which paralyzed many hospital networks in the UK and has sparked a reexamination into cybersecurity standards in the country’s healthcare system the National Health Services (NHS).
But how would U.S. hospitals have stood up to the attack if they were the primary targets?
The Ponemon Institute’s annual study on healthcare data security found that data breaches are costing the U.S. healthcare industry $6.2 billion, with criminal attacks accounting for half of all data breaches in 2016.
These attacks are affecting nearly every facility. The Ponemon Institute’s study shows that 89 percent of healthcare organizations and 60 percent of business associates have experienced data breaches over the past two years.
Campus Safety has reported on numerous cyberattacks that have implications for hospitals around the country, including the rising prevalence of ransomware attacks. The attacks show hackers view the industry as vulnerable, and the success of some of these ransomware attacks only encourages them even more.
Indeed, Scott described the healthcare industry as “low hanging fruit” for anyone with a computer and nefarious intent.
2. Cybersecurity Collaboration Goes A Long Way
In every industry, information sharing improves individual institutions’ ability to safeguard their campus by exposing officials to alternative policies and procedures. This is especially true when it comes to cybersecurity because of the wide-ranging nature of the threats, the diversity of the attackers and the increasing sophistication they use in ever-changing attacks.
For hospitals, sharing details of threats in a quick, standardized way can help officials prepare for the full scope of attacks possible. In other words, it’s easier to learn from someone else’s experience than it is to learn from your own.
Small and medium-sized healthcare entities, working with fewer resources, stand to gain a lot from learning about the methods of their peers and opening more information pathways compared with what the NCCIC has given them, Scott argued.
“Many of the targeted organizations are small and medium-sized businesses that remain underserved because they lack the resources to initiate meaningful dialogue with the NCCIC and their insignificance forgoes continuous attention from DHS,” Scott said.
Further, one of HCCIC’s stated goals is to provide “real-time communications among incident response teams and threat analysts.” This is something the HHS currently lacks but could play a critical role in dealing with attacks that target multiple institutions simultaneously or in a small timeframe.
Similar public-private partnerships, like the FBI’s Infragard, have shown that collaborative efforts can go a long way.
3. HCCIC Can Help With HIPAA Compliance
If pulling best practices from industry experts to prevent data breaches isn’t enough of an incentive to pay attention to the HCCIC, consider that the HHS’ OCR has urged healthcare facilities to use collaboration projects related to HCCIC for HIPAA compliance in the past.
HCCIC is seen by the government in part as an extension of the US Computer Emergency Readiness Team (US-CERT), which the OCR described in a newsletter earlier this year as being “in a unique position to inform covered entities and business associates about their cybersecurity efforts.”
OCR went on to encourage HIPAA-covered entities to share the details of cybersecurity incidents, vulnerabilities and defense measures with US-CERT, and then use CERT’s reports as part of their Security Management Process 1 (HIPAA 45 CFR § 164.308(a)(1)).
4. HCCIC Needs Healthcare Industry Buy-In
Central to the HCCIC’s functioning is the participation of healthcare entities and players in the private sector. Without enough of those things, the HCCIC is merely paying lip service to the idea of information sharing and collaboration and is unlikely to help the industry make any progress.
The HHS has provided grants to the National Health Information Sharing and Analysis Center to encourage broad participation in the HCCIC. The stated intention of the grants is to attract healthcare providers of all sizes, their business associates and the companies making cybersecurity solutions.
“HHS is already at the forefront of healthcare cybersecurity, and its role as intermediary with the NCCIC through the HCCIC is an optimal and efficient solution to decreasing the vulnerability and exploitability of a siloed sector that has been too long starved for objective sector-specific attention and assistance,” Scott said.
The numbers show healthcare facilities need help when it comes to cybersecurity. Will they take it?