Policy Analysis – Who does what (pt. 2)
This week we will wrap up our review of different federal agencies with a cybersecurity mission. Last week we looked at how DHS and FBI work to protect and support U.S. interests in the face of cyber-threats. Today we will look at HHS’s role as well as the other agencies that contribute legal authorities and cyber-capabilities to the U.S. government’s “defensive” cyber-mission. We will also do a quick overview of the agencies responsible for the government’s “offensive” activities in cyber-space and give you a sense of the doctrine that helps determine how it is applied.
HHS has three cybersecurity missions that have been authorized and funded by Congress – defend its own networks and data; support the health care sector; develop and enforce regulations. The new Health Cybersecurity and Communications Center (HCCIC) has a role to play in executing responsibilities in line with all three mission areas. As we described in a previous edition of the newsletter, the HCCIC will serve to integrate SOC functions across the different HHS bureaus, lend health sector specific expertise to threat intelligence analysis at the six cyber centers (specifically the NCCIC), and inform the long-term development of regulatory policy to reflect the nature of the cyber threat against the healthcare sector.
Planning for public health emergencies is conducted within HHS by the Assistant Secretary for Preparedness and Response (ASPR), who is also responsible for carrying out the role of “sector-specific agency.” The role of a sector specific agency (created under PPD-21) is to support the resiliency of the health care sector from within the federal government. This includes lending sector relevant expertise to other agencies around the government, such as DHS, the FBI, or the intelligence community, as well as serving as an interface between the government and private sector personnel during both steady-state and incident response.
HHS’ regulatory authorities sit within a few different offices – the Office of Civil Rights (OCR) and the Food and Drug Administration (FDA), as well as the Office of the National Coordinator for health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS). Congress gave OCR the authority to implement and enforce HIPAA, which sets expectations for how health organizations protect patient information. FDA sets the regulations by which medical devices must comply and has issued both pre- and post-market guidance for the cybersecurity of medical devices. ONC and CMS are not regulators in the traditional sense, but both oversee federal subsidy programs and set “regulatory” requirements that health care organizations must meet in order to receive benefits. ONC (for “Meaningful Use”) and CMS (for Medicare/Medicaid), both expect participants to appropriately manage cyber risks.
As a reminder, this is the public version of the Hacking Healthcare newsletter. For additional in-depth analysis and opinion on responding to a cyber breach, become a member of NH-ISAC.