HHS will soon launch its own version of the National Cybersecurity and Communications Integration Center to improve healthcare cybersecurity measures.Source: Thinkstock
May 10, 2017 - HHS plans to create its own version of the National Cybersecurity and Communications Integration Center (NCCIC) in an effort to create stronger healthcare cybersecurity, according to a Federal News Radio report.
HHS Chief Information Security Officer Christopher Wlaschin explained at the 2017 ACT-IAC Mobile Health Forum that the Health Cybersecurity and Communications Integration Center (HCCIC) should reach initial operating capability around the end of June.
There is lots of “noise” around healthcare cybersecurity, Wlaschin said. HHS will provide grants to the National Health Information Sharing and Analysis Center (NH-ISAC) to encourage a broad participation in an effort to reduce that noise.
Healthcare needs to analyze the privacy and security threats and then deliver best practices, including to smaller providers, he added. HCCIC will also be a collaborative partnership, and a good opportunity to work with mobile app developers to ensure that patient data remains secure on numerous platforms.
“A patient doesn’t want to sign … a long electronic consent form, especially when they’re in crisis,” Wlaschin said at the forum. “They want access to healthcare. The services, the apps, the systems we design and approve, should deliver that.”
The NCCIC is part of the Department of Homeland Security (DHS), and is described as a “a 24x7 cyber situational awareness, incident response, and management center.”
“The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations,” the DHS website reads. “Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.”
While HCCIC could greatly benefit the healthcare industry, HHS should also take note of areas in which the NCCIC was found it could improve upon.
A February 2017 Government Accountability Office (GAO) report found that DHS took important steps to improve its cybersecurity but that there were still factors impeding its efficiency and effectiveness.
For example, the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 require NCCIC to perform 11 cybersecurity-related functions. This includes sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities.
GAO explained that those functions must adhere to nine implementing principles but that NCCIC has not yet determined how those principles apply to all 11 functions. Several instances were also identified where cybersecurity functions were not performed in accordance with the principles.
“Until NCCIC takes steps to overcome these impediments, it may not be able to efficiently perform its cybersecurity functions and assist federal and nonfederal entities in identifying cyber-based threats, mitigating vulnerabilities, and managing cyber risks,” the report stated.
The United States Computer Emergency Readiness Team (US-CERT) is also one of the four branches under NCCIC. US-CERT has previously been hailed by OCR as a key way for healthcare to improve its cybersecurity measures. The government, private sector, and international network defense communities must have stronger collaboration and information sharing to fight against evolving threats, OCR said in its February 2017 cybersecurity newsletter.
“US-CERT is in a unique position to inform covered entities and business associates about their cybersecurity efforts as well as benefit from information sharing when a covered entity or business associate experiences a cybersecurity incident,” OCR stated. “Covered entities should report to USCERT any suspicious activity, including cybersecurity incidents, cyber threat indicators and defensive measures, phishing incidents, malware, and software vulnerabilities.”
Furthermore, covered entities and business associates should monitor the US-CERT website for any cybersecurity reports or vulnerabilities. “Covered entities and business associates can leverage this information as part of their Security Management Process 1 under HIPAA (see 45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic protected health information,” OCR noted.