Why an HHS cyber center could confuse federal efforts

The Department of Health and Human Services announcement that it will establish a cybersecurity collaboration and education center for the health care industry could add to the private sector's bewilderment over the federal government's tangle of cybersecurity rules and regulations.

"I'm concerned about the HHS effort," said Sen. Claire McCaskill, (D-Mo.), ranking member of the Senate Homeland Security and Governmental Affairs Committee at a June 21 hearing that looked at the wave of federal cybersecurity regulations and compliance requirements faced by private industry.

Testimony from industry sector experts at the hearing focused on how to reduce and harmonize what they see as an uncoordinated, mostly headless federal effort to increase cybersecurity in the private sector.

In April at an ACT-IAC mobile heath IT conference, HHS CIO Chris Wlaschin said his agency was standing up a Health Cybersecurity and Communications Integration Center to help the health industry deal with cybersecurity issues.

HHS CIO Beth Killoran said at a conference on June 20 that her agency faces hundreds of millions of hacking attempts every week and that health data is becoming extremely valuable to hackers. The agency, she said, is searching for ways to increase secure sharing of the massive amount of sensitive information her department houses.

The HCCIC is a health industry-centered version of the Department of Homeland Security's National Cybersecurity and Communications Integration Center that shares threat indicators with the private sector to mitigate broad cyberthreats across the private sector, McCaskill said.

McCaskill and Committee Chairman Sen. Ron Johnson (R-Wis.) convened the hearing to discuss the growing federal murk in overseeing cybersecurity regulations across several sectors. The addition of the HCCIC threatens to make that situation worse, McCaskill said.

The problem of cybersecurity regulation is growing, according to the private industry representatives testifying at the hearing.

"Since the publication of the National Institute of Science and Technology's  Cybersecurity Framework in 2014 … we have tracked the issuance of nearly 30 new or proposed cybersecurity rules, guidelines, tools or frameworks that directly affect firms," said Christopher Feeney, president of the BITS/Financial Services Roundtable that represents the financial services industry.

"While regulators may have different statutory authorities and areas of specific focus, much of the information they seek from firms is common,' he said.

He testified that one financial services executive told him that he spends 40 percent of his time reconciling the various requirements of regulatory agencies, which delayed implementation of a security monitoring system after an attack for months.

McCaskill questioned whether the HCCIC would facilitate threat sharing, as the NCCIC does and whether companies had "safe harbor" liability protection in sharing threat information through the HCCIC. The Cybersecurity Act of 2015 extended that protection to companies sharing threat information with NCCIC.

In testimony at the hearing, Daniel Nutkis, founder and CEO of the Health Information Trust Alliance, said that the HHS plans came as something of a surprise to him and that the agency hadn't sought any input from his organization on the effort. "I found out about it through the media … not long ago."

He told lawmakers it is unclear whether the HCCIC will anonymize threat indicators if they're shared, as the NCCIC does. Anonymization of threat indicator data was a key to getting the NCCIC off the ground because companies were concerned about being tied to the indicators when they were shared. He also wondered how the effort would affect DHS' effort to help establish Information Sharing and Analysis Organizations among interested groups.

Johnson and McCaskill planned to send a letter to the White House asking that a federal CIO be appointed to help deconflict the confusing cybersecurity regulation compliance picture.