WASHINGTON, DC - Bipartisan and bicameral health care leaders today sent a letter to the Department of Health and Human Services (HHS) raising concerns about the department’s implementation of a portion of the Cybersecurity Information Sharing Act (CISA) of 2015. The leaders requested information regarding the “Cyber Threat Preparedness Report" (CTPR), as well as other important status updates.
The letter was signed by Energy and Commerce Committee Chairman Greg Walden (R-OR), Senate Health, Education, Labor, and Pensions Committee Chairman Lamar Alexander (R-TN), Energy and Commerce Committee Ranking Member Frank Pallone, Jr. (D-NJ), and Senate Health, Education, Labor, and Pensions Committee Ranking Member Patty Murray (D-WA).
“While the CTPR provided a high-level overview of the cybersecurity responsibilities of each HHS office and operating division, the report omitted or lacked sufficient detail on many outstanding issues," wrote Walden, Pallone, Alexander, and Murray. “For example, HHS is both a regulator of the health care sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. HHS must make clear how it plans to carry out this dual role and clearly communicate that plan to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions. The CTPR did not mention this dual role or provide any clarification as to when HHS will act as a regulator or an SSA and how it will transition from one role to the other."
The bipartisan, bicameral leaders continued, “Similarly, the CTPR failed to document HHS’s policies and procedures for responding to cybersecurity concerns or incidents that implicate multiple HHS operating divisions or offices. For example, a cybersecurity incident may initially affect a health care provider’s electronic health records, requiring a response from the Office of Civil Rights or the Office of the National Coordinator. If such an incident also compromised medical devices, the Food and Drug Administration likely would need to respond as well. The CTPR did not provide additional details or clarification as to how HHS would handle such an incident, when it would be appropriate for one HHS operating division or office to share information with another, or how such sharing would occur. This policy gap creates confusion for stakeholders and complicates the already difficult task of responding to cybersecurity incidents."
The leaders also cited the Healthcare Cybersecurity and Communications Integration Center (HCCIC), and its omission from the CTPR, as well as other items of concern.
The leaders detail some of those concerns, writing, “Stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has. Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status."
This letter follows one year of sustained oversight by Energy and Commerce of HHS’ health care cybersecurity. Those efforts include hearings by #SubOversight, as well as a series of letters.
