A Bureaucratic Mess Leads to Shutdown of HHS Cybersecurity Center

The Health and Human Services' new cyber center has featured at the center of reporting structure and personnel disagreements. 

In May 2017, the Department of Health and Human Services decided to stand up its own version of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in order to address the increasing cybersecurity risks to the health care sector. But creating the Health Cybersecurity and Communications Integration Center, or HCCIC, was the easy part. Soon after, the newfound center landed in the spotlight, sparking agency and industry drama about the role and scope of HHS authorities in information sharing.

Leo Scanlon at a hearing examining the role of HHS in healthcare cybersecurity, on June 8, 2017. Credit-Energy & Commerce CommitteeIn less than a year, the HCCIC saw some of its chief leaders and proponents either leave the agency or be placed on administrative leave, and oversight reverted from the deputy chief information security officer and into the agency’s Atlanta, Georgia-based Cybersecurity Operations Division. In December 2015, Congress passed the Cybersecurity Act of 2015, which called for greater cyberthreat preparedness and information sharing in HHS and the health care industry...

The timing proved profound. In May 2017, just as the HCCIC was first being stood up, the WannaCry ransomware cyberattack swept across many industries and portions of the public sector by exploiting a vulnerability in Windows systems. And while the health care industry in Europe was heavily impacted by the attack, the U.S. health sector remained comparatively secure. Many attributed this security to the newly founded HCCIC, which placed an industry representative in the HHS security operations center and held regular calls with industry during the attacks...