The Department of Health and Human Services has spent the past year and more addressing internal debate about the role of its Health Cybersecurity and Communications Integration Center, or HCCIC, in helping the healthcare sector deal with cyberthreats.
The agency announced Oct. 30 that it had officially opened the Health Sector Cybersecurity Coordination Center, or HC3, which an HHS spokesperson confirmed to Federal Times was a renamed version of the HCCIC.
“HHS is proud to work with the health community to better protect Americans’ health data and confidential information,” HHS Deputy Secretary Eric Hargan said in a news release.
“Today’s announcement is a recognition of the importance we place on stakeholder engagement as part of our cybersecurity work.”
The HC3 will serve as a coordinator and information sharing hub for the healthcare and public health sector by providing intelligence on security threats, spreading best practices and fostering collaboration within the HPH cybersecurity community, according to the spokesperson.
“We believe that when a risk is shared across sectors, the only way to manage that risk successfully is to manage it collectively,” said Jeanette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, in the news release.
“We know that the majority of the cybersecurity attacks that occurred over the past year could have been prevented with quality and timely information — and the heightened importance of sharing information cannot be stressed enough. The HC3 is a vital capability for the early detection and coordination of information between the private sector and the federal government, and with cyber professionals across the federal government.”
The HHS spokesperson confirmed that the HC3 would be located within the Office of the Chief Information Officer at HHS.
Who has authority over the HHS cyber center has been a subject of contentious debate at the agency, and many officials who originally led the development of the HCCIC have since either left the agency or been moved to other assignments.
At one point, stakeholders informed the House Energy and Commerce Committee that “they no longer understand whether the HCCIC still exists, who is running it or what capabilities and responsibilities it has,” according to a June 2018 letter the committee sent to HHS.
“Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”
The debate stemmed primarily over whether the HCCIC, now HC3, should rest under the assistant secretary for preparedness and response, which has external-facing authority, or the OCIO, which only has internal authorities.
Proponents of the ASPR model said that the cyber center’s need to coordinate incident response with the healthcare sector mandated that it needed an external function, while supporters of the OCIO model worried that the HCCIC could end up duplicating the work of the DHS National Cybersecurity and Communications Integration Center.
According to the news release “the HC3’s role is to work with the sector, including practitioners, organizations and cybersecurity information sharing organizations to understand the threats it faces, learn the bad guys’ patterns and trends and provide information and approaches on how the sector can better defend itself.”