Citing the WannaCry ransomware attacks, members of the House Energy and Commerce Committee brought up concerns with Health and Human Services (HHS) officials on June 8 that a similar attack could cause severe damage to U.S. health systems.
“The WannaCry ransomware attack demonstrated that cyberattacks have real-world consequences that place patients at risk,” said Rep. Frank Pallone, D-N.J.
In particular, the committee members expressed concern over how WannaCry affected the United Kingdom’s National Health Service, and how a future attack might similarly cripple U.S. systems.
“Portions of the National Health system in the U.K. had to turn away patients except for emergency care after vulnerable systems fell victim,” said Greg Walden, R-Ore.
However, according to the HHS officials, cybersecurity recommendations made recently by the Health Care Industry Cybersecurity Task Force address many of the concerns brought up by the ransomware attacks.
“When you look at the recommendations that came out of WannaCry, the action items that came out of WannaCry, they clearly line up with the task force recommendations of focusing on those best practices, how do we roll these out, making sure we have good cyber hygiene on our computers,” said Emery Csulak, CISO and senior privacy official at the Centers for Medicare and Medicaid Services and co-chair of the Health Care Industry Cybersecurity Task Force.
Leo Scanlon, deputy CISO at HHS, said that WannaCry also gave his agency the opportunity to work on communications between the private sector and his agency.
“We point to the WannaCry event, where, during the course of that, we at the [Health Services Advisory Committee] were able to produce what we call the ‘one-pagers,’ the 101’s, to begin to answer questions from the small organizations that were on the phone,” said Scanlon.
To further communications efforts, HHS recently stood up the Health Cybersecurity and Communications Integration Center (HCCIC), a version of the National Cybersecurity and Communications Integration Center (NCCIC).
“The HCCIC’s function is to start to provide a communication channel from the sector, especially the small or medium-size organizations that don’t necessarily know about NCCIC,” said Scanlon.
“Public-private partnerships are essential, and we can’t just stand them up during emergencies,” said Steve Curren, director of the Division of Resilience in the Office of Emergency Management and Office of the Assistant Secretary for Preparedness and Response at HHS.