Landscape of Government Agencies
In the United States, there are numerous government healthcare agencies at the federal, state, local, tribal, and territorial levels that either comply with, or enforce, cybersecurity policy and guidelines.
Their cybersecurity roles fall into several broad categories:
- Securing Healthcare Delivery: To ensure the cybersecurity of healthcare delivery, organizations such as the Veterans Administration/Veterans Health Agency (VA/VHA), Department of Defense/Defense Health Agency (DOD/DHA), and Health and Human Services/Indian Health Services (HHS/IHS) and National Institutes of Health (HHS/NIH) depend on their parent departments to provide centralized cybersecurity policy and administration.
- Securing Healthcare Critical Infrastructure: Cybersecurity advice to the health sector is provided through HHS Health Sector Cybersecurity Coordination Center (HHS/HC3), and the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency (DHS/CISA).
- Cybersecurity Preparedness and Response: HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) leads the nation’s medical and public health preparedness for, response to, and recovery from disasters and public health emergencies, including cybersecurity events.
- Law Enforcement and Intelligence Sharing: The FBI tracks ransomware actors, provides cybersecurity alerts, and investigates incidents. DHS/CISA also participates in threat intelligence sharing.
- Privacy of Health Information: The privacy of health information is regulated by the HHS Office for Civil Rights (HHS/OCR). Health information privacy is protected under HIPAA.
Below is a short list of relevant federal agencies, and their primary cybersecurity roles and responsibilities.
Enhances the health and well-being of all Americans, by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health, and social services. HHS’s cybersecurity policy administration is coordinated by the Office of the CIO and each agency has its own CISO.
Health Sector Cybersecurity Coordination Center (HC3)
HC3 was created by the Department of Health and Human Services to aid in the protection of vital, healthcare-related controlled information and ensure that cybersecurity information sharing is coordinated across the Health and Public Health Sector (HPH).
Office of the Chief Information Officer
As the leading collaboration center of the Office of the Chief Information Officer/Office of Information Security, the 405(d) Aligning Health Care Industry Security Approaches Program is focused on providing the HPH sector with useful and impactful resources, products, and tools that help raise awareness and provide vetted cybersecurity practices, which drive behavioral change and move towards consistency in mitigating the most relevant cybersecurity threats to the sector. The core of the 405(d) program is it’s task group members. Convened by HHS in 2017, the 405(d) task group is comprised of over 230 + information security officers, medical professionals, privacy experts, and industry leaders. The task group members help drive all aspects of the 405(d) program, to include official program products, awareness campaigns, engagements, and outreach channels. The cornerstone publication under the program is Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. The 405(d) program has published helpful information specifically targeted at addressing the Ransomware threat, including a Have Your Heard Awareness Campaign, and a discussion of Ransomware Attack and Mitigation Practices as part of their Five Threats series.
Office of the Assistant Secretary for Preparedness and Response (ASPR)
ASPR leads the nation’s medical and public health preparedness for, response to, and recovery from disasters and public health emergencies. ASPR collaborates with hospitals, healthcare coalitions, biotech firms, community members, state, local, tribal, and territorial governments, and other partners across the country to improve readiness and response capabilities. The ASPR Technical Resources, Assistance Center, and Information Exchange (TRACIE) Healthcare System Cybersecurity: Readiness & Response Considerations resource can help healthcare facilities, particularly hospitals, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. Information within this document is specifically related to the effects of a cyber incident on the healthcare operational environment, specifically the ability to effectively care for patients and maintain business practices and readiness during such an event. While the focus of this document is on disruptions associated with a large-scale cyberattack, many strategies and principles outlined are relevant to a range of cybersecurity incidents and healthcare facilities.
Center for Medicare and Medicaid Services (CMS)
CMS combines the oversight of the Medicare program, the federal portion of the Medicaid program and State Children’s Health Insurance Program, the Health Insurance Marketplace, and related quality assurance activities. Due to CMS’s oversight role, it needs to protect its assets and operations. Thus, CMS has an extensive cybersecurity policy that is managed by its CISO Office. CMS leverages the CMS Cybersecurity Integration Center (CCIC) as the central hub for network monitoring, information sharing, and incident response. The CCIC Incident Management Team (IMT) is responsible for notifying the Center for Medicare and Medicaid Enterprise Security Operation Center (CMS SOC), the Marketplace SOC, and the Health and Human Services Computer Security Incident Response Center (HHS CSIRC) of all security events and incidents.
FOOD AND DRUG ADMINISTRATION (FDA)
The Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices. The FDA’s Center for Devices and Radiological Health works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, healthcare delivery organizations, security researchers, and end users to increase the security of the U.S. critical cyber infrastructure. Cybersecurity of medical devices falls under FDA’s regulatory purview. FDA provides medical device security and cybersecurity guidance.
Indian Health Service (IHS)
IHS provides American Indians and Alaska Natives with comprehensive health services by developing and managing programs to meet their health needs. The IHS establishes agency-wide information security policies based on HHS security and privacy policies.
Office of the National Coordinator for Health Information Technology (ONC)
ONC provides counsel for the development and implementation of a national health information technology framework. It provides guidance for the privacy and security of health IT including Electronic Health Information.
Office for Civil Rights (OCR)
OCR is responsible for enforcing the HIPAA security, privacy and breach notification rules.
VA operates the largest integrated healthcare delivery system in America, the Veterans Health Administration (VHA). VA adopts a robust multifaceted enterprise cybersecurity strategy (governance, program management, and risk management; operations, telecommunications, and network security; security architecture; application and software design; privacy; access control, identification, and authentication; cybersecurity training and human capital; and medical cyber) to ensure the security and resiliency of its IT infrastructure.
Defense Health Agency (DHA)
A joint, integrated Combat Support Agency that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. It is part of the broader Military Health System (MHS). The DHA cybersecurity division establishes and maintains the DHA Cybersecurity Program, which governs all IT under the authority, direction, and control of the Director, DHA, consistent with DoD cybersecurity policy, while balancing risk tolerance against mission objectives.
Cybersecurity & Infrastructure Security Agency (CISA)
The nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA provides cybersecurity tools, incident response services, and assessment capabilities to safeguard essential operations of partner departments and agencies, such as CISA ransomware resources. CISA also provides cybersecurity services to our nation’s critical infrastructure including the Health sector.
National Institute of Standards and Technology (NIST)
Promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST operates the National Cybersecurity Center of Excellence (NCCoE), which provides a range of technical advice for the healthcare sector, including detailed practice guides for ransomware.
Federal Bureau of Investigation (FBI)
National security organization with both intelligence and law enforcement responsibilities. The FBI provides cybersecurity bulletins including ransomware and performs criminal investigations.