close
close

Mondor Festival

News with a Local Lens

HHS ASPR serves as “quarterback” for cyber response and resilience
minsta

HHS ASPR serves as “quarterback” for cyber response and resilience

As the threat of cyberattacks against public and private sector healthcare organizations continues to increase, the Department of Health and Human Services is helping.

As the healthcare cybersecurity risk management agency, HHS has over the last year refined its cyber tools and how it coordinates across government and with the private sector.

Brian Mazanec, deputy director of the Administration’s Office of Readiness for Strategic Preparedness and Response at HHS, said the agency is strengthening its cyber protections.

Brian Mazanec is deputy director of the Office of Administration Readiness for Strategic Preparedness and Response at the Department of Health and Human Services.

“Just over a year ago, this coordination was happening, but not as easily as it should have been. We have taken some steps and now have a Public Health Unit, Captain or Officer 06, permanently embedded within the National Cyber ​​Investigative Joint Task Force, led by the FBI. We have an ASPR person from HHS embedded full-time with FBI agents and other law enforcement who work in this task force and who actually deal with very sensitive information and respond to cyber incidents in the security sector on a daily basis. health,” Mazanec said on Ask the CIO. “This is just another example of how we have truly strengthened and continue to grow our partnership with the FBI. We work with other health-focused entities like the Department of Veterans Affairs, the Defense Health Agency, certainly within HHS, with the Indian Health Service, and with the Centers for Medicaid and Medicare Services.

Of course, ASPR is also closely aligned with the Cybersecurity and Infrastructure Security Agency as the federal lead for sector coordinating agencies, as well as with the HHS Office of the Chief Information Officer and other security-related organizations. cybersecurity within the agency.

The Cyber ​​Attack Coordination Council’s efforts are becoming more important than ever as the number of cyber threats and attacks has skyrocketed. The Office of the Director of National Intelligence reported that in 2023 Healthcare organizations in the United States faced a 128% increase in ransomware attacks compared to the previous year. Global ransomware attacks against the healthcare sector have steadily increased and nearly doubled since 2022, reaching a total of 389 victims in 2023 compared to 214 in 2022.

Mazanec said ASPR’s role is to “control” cyber incident response capabilities by bringing together partners within the ministry, across government and the private sector.

This leadership effort builds on a four-pronged strategy, the ASPR, presented about a year ago.

Mazanec said that six-page document aims to develop a plan to address current and future gaps in the healthcare sector and ensure that HHS provides these hospitals and clinics with the support they need to reduce their risks and resist attacks.

The four pillars of the strategy focus on:

  • Establish voluntary cybersecurity performance targets for the healthcare sector
  • Provide resources to encourage and implement these cybersecurity practices
  • Implement an HHS-wide strategy to support better enforcement and greater accountability
  • Expanding and Maturing the HHS One-Stop Shop for Healthcare Cybersecurity

Mazanec said HHS has achieved most of the short-term goals aimed at establishing voluntary cyber performance goals.

“It was about the need to better guide the sector on high-impact cybersecurity practices to implement. If you are a small hospital CISO and are struggling to know where to start and have the National Institute of Standards and Technology Cybersecurity Framework, Cross-Industry Cybersecurity Performance Goals, and HIPPA , where to start? he said. “There was a lot of confusion. What is the true north of the area? What are the most impactful practices? The first pillar of the strategy was to develop healthcare-specific cybersecurity performance goals. We did that and released them in January.

HHS requested additional cyber funding

HHS detailed 10 essential objectives such as multi-factor authentication and basic incident planning and preparation. He also outlined 10 additional enhanced goals, such as asset inventory and network segmentation.

Mazanec said the other three pillars are a work in progress.

For the second pillar, HHS worked with the White House to add specific funding requests for the proposed fiscal year 2025 budget. These included a $1.3 billion request for a CMS-led program aimed at providing resources directly to the healthcare sector for cybersecurity.

“Another example specific to ASPR is the Hospital Readiness Program, which is an approximately $240 million program that provides this amount of funding to healthcare coalitions, primarily based at the state level, but some are also intended for large metropolitan areas, to help them. “Engaging in preparedness activities that are maybe not just cybersecurity specific, but really address a range of scenarios,” he said. “We were very intentional because of this strategy when we were preparing for the notice of funding opportunity for this hospital readiness program, which was launched a few months ago, and we just announced rewards, including the construction of a completely new cyber The beneficiaries will therefore now use these funds, among other things, to practice downtime procedures and, following a cyber incident within their coalition of healthcare, to conduct a risk assessment and gap analysis focused on healthcare-specific cybersecurity performance objectives.”

A one-stop shop under construction

As part of the third pillar around accountability, Mazanec said giving health organizations more money is a good thing, but they also need to be held accountable for using that money to take action to to secure their systems and data.

He said ASPR is looking across the department at what levers and capabilities could be applied more robustly.

“One example we’ve talked about publicly is an update from the Office for Civil Rights. HIPAA Security Rulewhich is in progress. This is an enforcement tool the department has to ensure that covered entities are taking appropriate steps to protect themselves from a cyber perspective,” Mazanec said. “We are also looking at other areas where we can push the sector from an accountability perspective. »

The fourth pillar, the creation of a one-stop shop within HHS, recently received a timely boost when the the agency helped answer to the Change Healthcare ransomware attack.

Mazanec said ASPR requested an additional $12 million as part of the 2025 request to begin building this one-stop shop capacity.

“It’s going to help both of us to have people who are sectoral ambassadors that they can reach out to and engage with in an education perspective across the country. They will highlight existing resources that we have developed, these best practices and conduct risk assessment activities. They also really help give us more incident response capabilities,” he said. “There will still be a lot of expertise in other parts of HHS like the FDA, for example, for medical device cybersecurity and some of the capabilities of OCIO on the technical side. We hope to continue to develop and exploit them. So it’s still a team effort across the department, but ASPR will play this enhanced one-stop-shop role.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located in the European Economic Area.