Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., are asking Health and Human Services Secretary Xavier Becerra for a briefing on what HHS is doing to help share cyber threat data with members of the healthcare and public health (HPH) sector – particularly in light of ramped-up ransomware attacks against the sector in recent years.
The senator and the House member – both of whom were members of the Cyberspace Solarium Commission that helped to shepherd major cybersecurity legislation through Congress over the past two years – requested the briefing in an August 11 letter to Becerra.
“We and our colleagues can only conduct effective oversight if we understand the challenges that your department and the HPH sector are facing,” the lawmakers said in requesting an unclassified threat briefing on cybersecurity risks to the sector.
The lawmakers wrote favorably about aspects of cybersecurity activity at HHS including prioritization by the Food and Drug Administration of medical device security, along with“the growing ability of the Department’s Critical Infrastructure Protection Division and the Health Sector Cybersecurity Coordination Center (HC3) to explain cyber threats through a sector-focused lens.”
“We remain concerned, however, about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources,” Sen. King and Rep. Gallagher said. “With cyber threats growing exponentially, we must prioritize addressing the HPH sector’s cybersecurity gaps.”
In particular, the lawmakers said they hope the requested briefing covers the status of HHS efforts “to strengthen the department’s capabilities” as the designated sector risk management agency (SRMA), and to “operationalize collaboration with the organizations throughout the sector.”
They said they want the briefing to include:
- The current organizational structure and roles and responsibilities that HHS employs to support HPH cybersecurity and serve as the SRMA for the entire HPH;
- The current authorities HHS has to improve cybersecurity of the HPH sector as well as the gaps in those authorities and what more might be needed to ensure HHS has the authorities it needs;
- The resources – including personnel and budget – that HHS requires to serve as an effective sector risk management agency; and
- The interagency coordination structures, successes, and challenges utilized to support HHS’s efforts and HPH cybersecurity efforts.