Policy Analysis on Info Sharing
We now have the HCCIC to add to the NCCIC on the list of relevant government acronyms in healthcare cybersecurity. Just how they work with one another remains to be seen, but let’s look at what we know so far.
First, the Health Cybersecurity and Communications Integration Center (HCCIC) has three stated goals:
- “Strengthen engagement across HHS Operating Divisions;
- Strengthen reporting and increase awareness of the health care cyber threats across the HHS enterprise; and,
- Enhance public-private partnerships through regular engagement and outreach.”
It is striking, given the press coverage and general sentiment in the sector, to see HHS position the HCCIC as being primarily responsible for internal security improvements. Given that positioning, it is unsurprising that the HCCIC has been headquartered under the HHS CISO’s office and not in an operating unit with a primarily external facing mission. Location within the CISO’s office also makes a lot of sense from a technical perspective – HHS was one of the first agencies to connect with the Automated Indicator Sharing (AIS) system at DHS. The CISO’s office pursued AIS to bolster its own defenses and can utilize the AIS pipes to feed information into the HCCIC (and from the HCCIC back to DHS).
Much of the focus on government cybersecurity has been around adoption of shared services and migration to a more defensible technology stack. This is rightly placed and the security (and efficiency!) burden of legacy systems is significant. But there is also a burden of legacy governance in government security programs. Staff and budget are disparate and suffer from a lack of consolidation and scale. It is difficult to align IT and security modernization efforts within departments and across government. Coordinating centers such as the HCCIC may offer some benefit in this regard.
HHS (and other agencies) should be encouraged to try innovative approaches to addressing their own security challenges. For the HCCIC (and other such initiatives) to be successful, it will need to be properly resourced. But the challenge of securing government systems is so significant that experimentation and action (above all else) should be encouraged.
Over the next couple of weeks, we will look at how the HCCIC might look to utilize their relative expertise and work with the NCCIC and H-ISAC to maximize value in support of the health care sector.
This is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion, become a member of H-ISAC.